diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 454379ee109..5c1fc8c4729 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,12 +44,12 @@ jobs: strategy: fail-fast: true matrix: - python: ["3.7", "3.8", "3.9", "3.10", "3.11"] + python: ["3.8", "3.9", "3.10", "3.11"] os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: python-version: ${{ matrix.python }} - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 @@ -93,11 +93,13 @@ jobs: pipenv run pytest integration_tests prisma-tests: runs-on: [ self-hosted, public, linux, x64 ] + env: + PYTHON_VERSION: "3.8" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: - python-version: 3.7 + python-version: ${{ env.PYTHON_VERSION }} - name: Install pipenv run: | python -m pip install --no-cache-dir --upgrade pipenv @@ -107,7 +109,7 @@ jobs: run: | # remove venv, if exists pipenv --rm || true - pipenv --python 3.7 + pipenv --python ${{ env.PYTHON_VERSION }} pipenv run pip install pytest pytest-xdist pipenv run python setup.py sdist bdist_wheel pipenv run pip install dist/checkov-*.whl @@ -122,12 +124,14 @@ jobs: unit-tests: timeout-minutes: 30 runs-on: ubuntu-latest + env: + PYTHON_VERSION: "3.8" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - name: Set up Python 3.7 - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 + - name: Set up Python ${{ env.PYTHON_VERSION }} + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: - python-version: 3.7 + python-version: ${{ env.PYTHON_VERSION }} - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -141,7 +145,7 @@ jobs: run: | # remove venv, if exists pipenv --rm || true - pipenv --python 3.7 + pipenv --python ${{ env.PYTHON_VERSION }} pipenv install --dev - name: Test with pytest env: @@ -157,20 +161,22 @@ jobs: # IMPORTANT: this permission is mandatory for trusted publishing to pypi id-token: write timeout-minutes: 30 + env: + PYTHON_VERSION: "3.8" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: token: ${{ secrets.GH_PAT_SECRET }} - name: Import GPG key id: import_gpg - uses: crazy-max/ghaction-import-gpg@d6f3f49f3345e29369fe57596a3ca8f94c4d2ca7 # v5 + uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v5 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.PASSPHRASE }} - - name: Set up Python 3.7 - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - name: Set up Python ${{ env.PYTHON_VERSION }} + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: - python-version: 3.7 + python-version: ${{ env.PYTHON_VERSION }} - name: Install pipenv run: | python -m pip install --no-cache-dir --upgrade pipenv @@ -178,7 +184,7 @@ jobs: run: | # remove venv, if exists pipenv --rm || true - pipenv --python 3.7 + pipenv --python ${{ env.PYTHON_VERSION }} pipenv install - name: Calculate version run: | @@ -300,34 +306,12 @@ jobs: BC_API_KEY: ${{ secrets.BC_API_KEY }} DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} - publish-checkov-pyston-dockerhub: - runs-on: [self-hosted, public, linux, x64] - needs: bump-version - environment: release - steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - name: Get release version - id: versions - run: | - checkov_version=${{ needs.bump-version.outputs.version }} - checkov_major_version=$(echo "${checkov_version}" | head -c1) - echo "version=$checkov_version" >> "$GITHUB_OUTPUT" - echo "major_version=$checkov_major_version" >> "$GITHUB_OUTPUT" - - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@43dc228e327224b2eda11c8883232afd5b34943b # v5 - with: - name: bridgecrew/checkov - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - tags: "pyston,${{ steps.versions.outputs.version }}-pyston,${{ steps.versions.outputs.major_version }}-pyston" - dockerfile: Dockerfile.pyston - buildoptions: "--no-cache" update-bridgecrew-projects: needs: publish-checkov-dockerhub runs-on: [self-hosted, public, linux, x64] environment: release steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 - name: update checkov release run: | curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-checkov&token=${{ secrets.BC_JENKINS_TOKEN }}" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e3a47879359..37ea210c4f7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -34,9 +34,9 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 - name: Set up Python - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: python-version: '3.10' - name: Setup python for CodeQL @@ -54,12 +54,12 @@ jobs: pipenv lock -r > requirements.txt pip install -r requirements.txt - name: Initialize CodeQL - uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2 + uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2 with: languages: python setup-python-dependencies: false config-file: ./.github/codeql-config.yml - name: Autobuild - uses: github/codeql-action/autobuild@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2 + uses: github/codeql-action/autobuild@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2 + uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2 diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 72049792d46..021a4e85cb5 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -14,20 +14,22 @@ jobs: permissions: contents: write environment: release + env: + PYTHON_VERSION: "3.8" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: token: ${{ secrets.GH_PAT_SECRET }} - name: Import GPG key id: import_gpg - uses: crazy-max/ghaction-import-gpg@d6f3f49f3345e29369fe57596a3ca8f94c4d2ca7 # v5 + uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v5 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.PASSPHRASE }} - - name: Set up Python 3.7 - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - name: Set up Python ${{ env.PYTHON_VERSION }} + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: - python-version: 3.7 + python-version: ${{ env.PYTHON_VERSION }} - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -41,7 +43,7 @@ jobs: run: | # remove venv, if exists pipenv --rm || true - pipenv --python 3.7 + pipenv --python ${{ env.PYTHON_VERSION }} pipenv install --dev pipenv run pip install pytest - name: Test with pytest diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml index 8a08eff8c5a..971c3c0b2cc 100644 --- a/.github/workflows/jekyll-gh-pages.yml +++ b/.github/workflows/jekyll-gh-pages.yml @@ -27,7 +27,7 @@ jobs: runs-on: [self-hosted, public, linux, x64] steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 - name: Setup Pages uses: actions/configure-pages@f156874f8191504dae5b037505266ed5dda6c382 # v3 - name: Build with Jekyll diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 7fa26d225b2..b72e596dd03 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -16,7 +16,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: fetch-depth: 0 token: ${{ secrets.GH_PAT_SECRET }} @@ -62,7 +62,7 @@ jobs: release-notes: ${{ steps.build_github_release.outputs.changelog }} - name: Commit updated CHANGELOG.md if: steps.build_github_release.outputs.changelog != '' - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4 + uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5 with: commit_message: "chore: update release notes" file_pattern: CHANGELOG.md @@ -87,14 +87,16 @@ jobs: runs-on: ${{ matrix.os }} permissions: contents: write + env: + PYTHON_VERSION: "3.8" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: - python-version: 3.7 + python-version: ${{ env.PYTHON_VERSION }} - name: Install pipenv run: | python -m pip install --no-cache-dir --upgrade pipenv @@ -124,11 +126,11 @@ jobs: if: needs.github-release.outputs.upload_url != '' runs-on: [self-hosted, public, linux, arm64] container: - image: arm64v8/python:3.7 + image: arm64v8/python:3.8 permissions: contents: write steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pipenv-update.yml b/.github/workflows/pipenv-update.yml index bbe2033653c..01512e8c23f 100644 --- a/.github/workflows/pipenv-update.yml +++ b/.github/workflows/pipenv-update.yml @@ -13,20 +13,22 @@ jobs: permissions: contents: write pull-requests: write + env: + PYTHON_VERSION: "3.8" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: ref: ${{ github.head_ref }} token: ${{ secrets.GH_PAT_SECRET }} - name: Import GPG key id: import_gpg - uses: crazy-max/ghaction-import-gpg@d6f3f49f3345e29369fe57596a3ca8f94c4d2ca7 # v5 + uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v5 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.PASSPHRASE }} - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: - python-version: 3.7 + python-version: ${{ env.PYTHON_VERSION }} - name: Install pipenv run: | python -m pip install --no-cache-dir --upgrade pipenv diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index b6eac5ac8f0..eda3d2c7844 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -18,7 +18,7 @@ jobs: pull-requests: read steps: - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 - name: Install Node.js uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 with: @@ -31,11 +31,13 @@ jobs: danger ci --verbose --failOnErrors cfn-lint: runs-on: ubuntu-latest + env: + PYTHON_VERSION: "3.8" steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: - python-version: 3.7 + python-version: ${{ env.PYTHON_VERSION }} - name: Install cfn-lint run: | pip install -U cfn-lint @@ -45,18 +47,20 @@ jobs: mypy: uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main + with: + python-version: "3.8" unit-tests: strategy: fail-fast: true matrix: - python: ["3.7", "3.8", "3.9", "3.10", "3.11"] + python: ["3.8", "3.9", "3.10", "3.11"] runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 - name: Set up Python ${{ matrix.python }} - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: python-version: ${{ matrix.python }} cache: "pipenv" @@ -76,22 +80,26 @@ jobs: pipenv --rm || true pipenv --python ${{ matrix.python }} pipenv install --dev -v + pipenv run pip install redefine --index-url https://pip.redefine.dev - name: Unit tests env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REDEFINE_AUTH: ${{ secrets.REDEFINE_AUTH }} run: | + pipenv run redefine config set stable_branch=main matrix_value=${{ matrix.python }} + pipenv run redefine start --pytest --discover pipenv run python -m pytest tests integration-tests: strategy: fail-fast: true matrix: - python: ["3.7", "3.8", "3.9", "3.10", "3.11"] + python: ["3.8", "3.9", "3.10", "3.11"] os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: python-version: ${{ matrix.python }} cache: "pipenv" @@ -135,18 +143,15 @@ jobs: pipenv run pytest integration_tests -k 'not api_key' performance-tests: - strategy: - fail-fast: false - matrix: - python: ["3.7"] env: + PYTHON_VERSION: "3.8" working-directory: ./performance_tests runs-on: [self-hosted, public, linux, x64] steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: - python-version: ${{ matrix.python }} + python-version: ${{ env.PYTHON_VERSION }} cache: "pipenv" cache-dependency-path: "Pipfile.lock" - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 @@ -163,7 +168,7 @@ jobs: run: | # remove venv, if exists pipenv --rm || true - pipenv --python ${{ matrix.python }} + pipenv --python ${{ env.PYTHON_VERSION }} # 'py' package is used in 'pytest-benchmark', but 'pytest' removed it in their latest version pipenv run pip install pytest pytest-benchmark py pipenv run python setup.py sdist bdist_wheel @@ -185,11 +190,11 @@ jobs: dogfood-tests: runs-on: ubuntu-latest env: - PYTHON_VERSION: "3.7" + PYTHON_VERSION: "3.8" WORKING_DIRECTORY: ./dogfood_tests steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 with: python-version: ${{ env.PYTHON_VERSION }} cache: "pipenv" diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index a299269288c..f030326f11d 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -15,7 +15,7 @@ jobs: permissions: contents: write steps: - - uses: thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f # v1 + - uses: thehanimo/pr-title-checker@5652588c80c479af803eabfbdb5a3895a77c1388 # v1 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} configuration_path: ".github/pr-title-checker-config.json" diff --git a/.github/workflows/security-shared.yml b/.github/workflows/security-shared.yml index 77bf4e1a597..0daf55e3a1f 100644 --- a/.github/workflows/security-shared.yml +++ b/.github/workflows/security-shared.yml @@ -14,7 +14,7 @@ jobs: bandit: runs-on: [self-hosted, public, linux, x64] steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: security test @@ -24,7 +24,7 @@ jobs: trufflehog-secrets: runs-on: [self-hosted, public, linux, x64] steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: detect secrets @@ -34,7 +34,7 @@ jobs: checkov-secrets: runs-on: [self-hosted, public, linux, x64] steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Scan for secrets diff --git a/CHANGELOG.md b/CHANGELOG.md index ca061951f9d..a3ff8179765 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,181 @@ # CHANGELOG -## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.4.29...HEAD) +## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.5.11...HEAD) + +## [2.5.11](https://github.com/bridgecrewio/checkov/compare/2.5.10...2.5.11) - 2023-10-17 + +### Feature + +- **sca:** giving file path on relative the the current dir for cases there is no either specified root_folder and the is no repo scan dir - [#5654](https://github.com/bridgecrewio/checkov/pull/5654) + +## [2.5.10](https://github.com/bridgecrewio/checkov/compare/2.5.9...2.5.10) - 2023-10-16 + +### Feature + +- **terraform:** support scanning of Terraform managed modules instead of downloading them - [#5635](https://github.com/bridgecrewio/checkov/pull/5635) + +### Bug Fix + +- **terraform:** Fixing issues with checks CKV_AZURE_226 & CKV_AZURE_227 - [#5638](https://github.com/bridgecrewio/checkov/pull/5638) + +## [2.5.9](https://github.com/bridgecrewio/checkov/compare/2.5.8...2.5.9) - 2023-10-15 + +### Feature + +- **sca:** support case where there are no cves suppressions - [#5636](https://github.com/bridgecrewio/checkov/pull/5636) + +## [2.5.8](https://github.com/bridgecrewio/checkov/compare/2.5.6...2.5.8) - 2023-10-12 + +### Feature + +- **general:** Remove code upload for on-prem integrations - [#5624](https://github.com/bridgecrewio/checkov/pull/5624) + +## [2.5.6](https://github.com/bridgecrewio/checkov/compare/2.5.3...2.5.6) - 2023-10-05 + +### Feature + +- **arm:** implement CKV_AZURE_95 for ARM - [#5500](https://github.com/bridgecrewio/checkov/pull/5500) +- **general:** Added source and target to edge data - [#5621](https://github.com/bridgecrewio/checkov/pull/5621) + +### Bug Fix + +- **terraform_plan:** add azurerm_portal_dashboard to jsonify list - [#5618](https://github.com/bridgecrewio/checkov/pull/5618) +- **terraform:** check if the dynamic name is one of the resources block - [#5607](https://github.com/bridgecrewio/checkov/pull/5607) + +## [2.5.3](https://github.com/bridgecrewio/checkov/compare/2.4.61...2.5.3) - 2023-10-04 + +### Breaking Change + +- **general:** remove Python 3.7 - [#5605](https://github.com/bridgecrewio/checkov/pull/5605) +- **graph:** remove CHECKOV_CREATE_GRAPH env var to control graph creation - [#5606](https://github.com/bridgecrewio/checkov/pull/5606) + +### Bug Fix + +- **dockerfile:** fix Docker image scan - [#5617](https://github.com/bridgecrewio/checkov/pull/5617) +- **openapi:** Take into account that security is at the root level of your OpenAPI specification. - [#5603](https://github.com/bridgecrewio/checkov/pull/5603) +- **terraform:** stop CKV_GCP_43 crashing when not a string - [#5561](https://github.com/bridgecrewio/checkov/pull/5561) + +## [2.4.61](https://github.com/bridgecrewio/checkov/compare/2.4.59...2.4.61) - 2023-10-03 + +### Bug Fix + +- **terraform:** fix upload resource_subgraph_maps - [#5615](https://github.com/bridgecrewio/checkov/pull/5615) + +### Platform + +- **terraform:** Upload resource subgraph map - [#5612](https://github.com/bridgecrewio/checkov/pull/5612) + +## [2.4.59](https://github.com/bridgecrewio/checkov/compare/2.4.58...2.4.59) - 2023-10-02 + +### Platform + +- **terraform:** fix in subgraphs uploads - [#5610](https://github.com/bridgecrewio/checkov/pull/5610) + +## [2.4.58](https://github.com/bridgecrewio/checkov/compare/2.4.57...2.4.58) - 2023-10-01 + +### Platform + +- **terraform:** upload tf sub graphs - [#5596](https://github.com/bridgecrewio/checkov/pull/5596) + +## [2.4.57](https://github.com/bridgecrewio/checkov/compare/2.4.55...2.4.57) - 2023-09-29 + +### Feature + +- **terraform:** Ensure ephemeral disks are used for OS disks - [#5584](https://github.com/bridgecrewio/checkov/pull/5584) +- **terraform:** Ensure that App Service plan is zone redundant - [#5577](https://github.com/bridgecrewio/checkov/pull/5577) +- **terraform:** Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources - [#5588](https://github.com/bridgecrewio/checkov/pull/5588) + +## [2.4.55](https://github.com/bridgecrewio/checkov/compare/2.4.51...2.4.55) - 2023-09-28 + +### Feature + +- **general:** Add image referencer rustworkx support - [#5564](https://github.com/bridgecrewio/checkov/pull/5564) +- **general:** Add rustworkx support - [#5595](https://github.com/bridgecrewio/checkov/pull/5595) +- **terraform:** Adding 2 new AWS policies - [#5599](https://github.com/bridgecrewio/checkov/pull/5599) +- **terraform:** simply IMDSv2 checks - [#5601](https://github.com/bridgecrewio/checkov/pull/5601) + +## [2.4.51](https://github.com/bridgecrewio/checkov/compare/2.4.50...2.4.51) - 2023-09-27 + +### Feature + +- **arm:** CKV_AZURE_88 convert to arm check - [#5465](https://github.com/bridgecrewio/checkov/pull/5465) +- **arm:** implement CKV_AZURE_149 for ARM - [#5496](https://github.com/bridgecrewio/checkov/pull/5496) + +### Bug Fix + +- **terraform:** Adding missing null checks - [#5589](https://github.com/bridgecrewio/checkov/pull/5589) + +## [2.4.50](https://github.com/bridgecrewio/checkov/compare/2.4.48...2.4.50) - 2023-09-26 + +### Feature + +- **general:** add rustworkx (#5511) - [#5565](https://github.com/bridgecrewio/checkov/pull/5565) +- **general:** Revert add rustworkx (#5565)" - [#5594](https://github.com/bridgecrewio/checkov/pull/5594) + +## [2.4.48](https://github.com/bridgecrewio/checkov/compare/2.4.47...2.4.48) - 2023-09-21 + +### Platform + +- **general:** expose retry and timeout configuration for interaction with the platform - [#5585](https://github.com/bridgecrewio/checkov/pull/5585) + +## [2.4.47](https://github.com/bridgecrewio/checkov/compare/2.4.39...2.4.47) - 2023-09-20 + +### Feature + +- **sca:** creating alias mapping for javascript - [#5567](https://github.com/bridgecrewio/checkov/pull/5567) +- **sca:** creating alias mapping for javascript - [#5582](https://github.com/bridgecrewio/checkov/pull/5582) +- **sca:** revert creating alias mapping for javascript - [#5581](https://github.com/bridgecrewio/checkov/pull/5581) + +### Bug Fix + +- **general:** fix print to encode in windows - [#5572](https://github.com/bridgecrewio/checkov/pull/5572) +- **terraform:** Nested source_module_objects with missing foreach key - [#5580](https://github.com/bridgecrewio/checkov/pull/5580) + +## [2.4.39](https://github.com/bridgecrewio/checkov/compare/2.4.36...2.4.39) - 2023-09-14 + +### Feature + +- **arm:** implement CKV2_AZURE_27 for arm - [#5534](https://github.com/bridgecrewio/checkov/pull/5534) +- **terraform:** Add new policy for deprecated runtimes - [#5555](https://github.com/bridgecrewio/checkov/pull/5555) +- **terraform:** Ensure Event Hub Namespace uses at least TLS 1.2 - [#5535](https://github.com/bridgecrewio/checkov/pull/5535) +- **terraform:** Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity - [#5541](https://github.com/bridgecrewio/checkov/pull/5541) + +## [2.4.36](https://github.com/bridgecrewio/checkov/compare/2.4.33...2.4.36) - 2023-09-13 + +### Feature + +- **general:** add rustworkx - [#5511](https://github.com/bridgecrewio/checkov/pull/5511) + +### Bug Fix + +- **terraform:** Module from_dict func to static func - [#5562](https://github.com/bridgecrewio/checkov/pull/5562) + +## [2.4.33](https://github.com/bridgecrewio/checkov/compare/2.4.32...2.4.33) - 2023-09-12 + +### Feature + +- **general:** attempt to fix overload in loaders and add tests - [#5549](https://github.com/bridgecrewio/checkov/pull/5549) +- **general:** remove 3.7 integ. test - [#5556](https://github.com/bridgecrewio/checkov/pull/5556) +- **general:** remove line to force code change - [#5558](https://github.com/bridgecrewio/checkov/pull/5558) +- **terraform:** add check Neptune DB clusters should be configured to copy tags to snapshots - [#5552](https://github.com/bridgecrewio/checkov/pull/5552) +- **terraform:** add CKV_AWS_361 to ensure Neptune DB cluster has adequate backup retention - [#5548](https://github.com/bridgecrewio/checkov/pull/5548) + +### Bug Fix + +- **terraform:** Fix external_modules_source_map serialization - [#5546](https://github.com/bridgecrewio/checkov/pull/5546) + +## [2.4.32](https://github.com/bridgecrewio/checkov/compare/2.4.30...2.4.32) - 2023-09-10 + +### Feature + +- **terraform:** add check for Neptune DB clusters IAM database auth enabled - [#5545](https://github.com/bridgecrewio/checkov/pull/5545) +- **terraform:** add CKV_AWS_360 to ensure backup retention period on AWS Document DB - [#5547](https://github.com/bridgecrewio/checkov/pull/5547) + +## [2.4.30](https://github.com/bridgecrewio/checkov/compare/2.4.29...2.4.30) - 2023-09-07 + +### Feature + +- **terraform:** add public network checks for Azure Function and Web Apps - [#5533](https://github.com/bridgecrewio/checkov/pull/5533) ## [2.4.29](https://github.com/bridgecrewio/checkov/compare/2.4.27...2.4.29) - 2023-09-06 diff --git a/Dockerfile b/Dockerfile index 89812472f02..c85228c4f22 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10-slim +FROM python:3.11-slim ENV RUN_IN_DOCKER=True diff --git a/Dockerfile.pyston b/Dockerfile.pyston deleted file mode 100644 index 1489fa9f761..00000000000 --- a/Dockerfile.pyston +++ /dev/null @@ -1,41 +0,0 @@ -FROM pyston/slim:2.3.5 - -RUN set -eux; \ - apt-get update; \ - apt-get -y --no-install-recommends upgrade; \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - git \ - curl \ - ; \ - \ - curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; \ - chmod 700 get_helm.sh; \ - VERIFY_CHECKSUM=true ./get_helm.sh; \ - rm ./get_helm.sh; \ - \ - curl -sSLo get_kustomize.sh https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \ - chmod 700 get_kustomize.sh; \ - ./get_kustomize.sh; mv /kustomize /usr/bin/kustomize; \ - rm ./get_kustomize.sh; \ - \ - apt-get remove -y curl; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - rm -rf /var/lib/apt/lists/* - -RUN set -eux; \ - apt-get update; \ - apt-get install -y --no-install-recommends build-essential cmake gcc; \ - \ - pip install --no-cache-dir -U checkov; \ - \ - apt-get remove -y build-essential cmake gcc; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - rm -rf /var/lib/apt/lists/* - -COPY ./github_action_resources/entrypoint.sh /entrypoint.sh -COPY ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json -COPY ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json - -# Code file to execute when the docker container starts up (`entrypoint.sh`) -ENTRYPOINT ["/entrypoint.sh"] diff --git a/Pipfile b/Pipfile index c0f062bcbe0..dce19416354 100644 --- a/Pipfile +++ b/Pipfile @@ -46,7 +46,6 @@ boto3-stubs-lite = {extras = ["s3"], version = "*"} bc-python-hcl2 = "==0.3.51" bc-detect-secrets = "==1.4.30" bc-jsonpath-ng = "==1.5.9" -deep-merge = "*" tabulate = "*" colorama="*" termcolor="*" @@ -89,6 +88,7 @@ yarl = "*" openai = "*" spdx-tools = ">=0.8.0,<0.9.0" license-expression = "*" +rustworkx = "*" [requires] -python_version = "3.7" +python_version = "3.8" diff --git a/Pipfile.lock b/Pipfile.lock index 178c45b9b7f..2aa7a7481f4 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,11 +1,11 @@ { "_meta": { "hash": { - "sha256": "e3292c84a8a0aeda530b01306a096696fc3ced355d8ce8b952aae80d3ef60895" + "sha256": "a5c36a72168a777a2e1c96b8c889ed819b5d272d01475ce2908c34a2af9d486b" }, "pipfile-spec": 6, "requires": { - "python_version": "3.7" + "python_version": "3.8" }, "sources": [ { @@ -115,6 +115,7 @@ "sha256:fd1ed388ea7fbed22c4968dd64bab0198de60750a25fe8c0c9d4bef5abe13824" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==3.8.5" }, "aiomultiprocess": { @@ -123,6 +124,7 @@ "sha256:3036c4c881cfbc63674686e036097f22309017c6bf96b04722a542ac9cac7423" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==0.9.0" }, "aiosignal": { @@ -135,11 +137,12 @@ }, "argcomplete": { "hashes": [ - "sha256:35fa893a88deea85ea7b20d241100e64516d6af6d7b0ae2bed1d263d26f70948", - "sha256:6c4c563f14f01440aaffa3eae13441c5db2357b5eec639abe7c0b15334627dff" + "sha256:d5d1e5efd41435260b8f85673b74ea2e883affcbec9f4230c582689e8e78251b", + "sha256:d97c036d12a752d1079f190bc1521c545b941fda89ad85d15afa909b4d1b9a99" ], "index": "pypi", - "version": "==3.1.1" + "markers": "python_version >= '3.6'", + "version": "==3.1.2" }, "async-timeout": { "hashes": [ @@ -149,14 +152,6 @@ "markers": "python_version >= '3.7'", "version": "==4.0.3" }, - "asynctest": { - "hashes": [ - "sha256:5da6118a7e6d6b54d83a8f7197769d046922a44d2a99c21382f0a6e4fadae676", - "sha256:c27862842d15d83e6a34eb0b2866c323880eb3a75e4485b079ea11748fd77fac" - ], - "markers": "python_version < '3.8'", - "version": "==0.13.0" - }, "attrs": { "hashes": [ "sha256:1f28b4522cdc2fb4256ac1a020c78acf9cba2c6b461ccd2c126f3aa8e8335d04", @@ -171,6 +166,7 @@ "sha256:99fd6a7e5033ea3a4532d3ccc11b3f669c447da0109e0cb9d66998f4131dba0c" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==1.4.30" }, "bc-jsonpath-ng": { @@ -179,6 +175,7 @@ "sha256:5e72d78887521469f8a52966f6f0664ec3d59dcb2cebf85b8131867a241c84ec" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==1.5.9" }, "bc-python-hcl2": { @@ -187,15 +184,16 @@ "sha256:ab72880dd58689a4ee9a47f229788311a2b4d607fe034a819a40a63dab432644" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==0.3.51" }, "beartype": { "hashes": [ - "sha256:0f70fccdb8eb6d7ddfaa3ffe3a0b66cf2edeb13452bd71ad46615775c2fa34f6", - "sha256:23df4715d19cebb2ce60e53c3cf44cd925843f00c71938222d777ea6332de3cb" + "sha256:47ec1c8c3be3f999f4f9f829e8913f65926aa7e85b180d9ffd305dc78d3e7d7b", + "sha256:72d133615fe674affc8c49365dd24dfe2260552b9a8a2b7193cdd48021527782" ], - "markers": "python_full_version >= '3.7.0'", - "version": "==0.14.1" + "markers": "python_full_version >= '3.8.0'", + "version": "==0.16.2" }, "beautifulsoup4": { "hashes": [ @@ -214,19 +212,20 @@ }, "boto3": { "hashes": [ - "sha256:6ff9a5b815e106656596064d51c9b6ba97a307807baa5f89634384b7d3f7ecc6", - "sha256:bd7c760afb195eaeaab907dc6b2c21fa64ddbba3fed4a869e80d820ddbd6cc70" + "sha256:5ddf24cf52c7fb6aaa332eaa08ae8c2afc8f2d1e8860680728533dd573904e32", + "sha256:e2d2824ba6459b330d097e94039a9c4f96ae3f4bcdc731d620589ad79dcd16d3" ], "index": "pypi", - "version": "==1.28.40" + "markers": "python_version >= '3.7'", + "version": "==1.28.57" }, "botocore": { "hashes": [ - "sha256:ce22a82ef8674f49691477d09558992cc87e7331f65c6a5b0da897ab192240ca", - "sha256:df766969f0d9ef9eda1a9c9946e0e173c10199f37a9e4c92861f11ddb5c9e702" + "sha256:159f637300206a0b37b49c1bee61265650843f591e9cb62e9adcb3d1c2afec91", + "sha256:6485a700744c60fcbf4bba4fcacb22067f601e79fb0c27fae04cf07b03c5e8f9" ], "markers": "python_version >= '3.7'", - "version": "==1.31.40" + "version": "==1.31.59" }, "cached-property": { "hashes": [ @@ -241,6 +240,7 @@ "sha256:dce83f2d9b4e1f732a8cd44af8e8fab2dbe46201467fc98b3ef8f269092bf62b" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==5.3.1" }, "certifi": { @@ -253,153 +253,158 @@ }, "cffi": { "hashes": [ - "sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5", - "sha256:03425bdae262c76aad70202debd780501fabeaca237cdfddc008987c0e0f59ef", - "sha256:04ed324bda3cda42b9b695d51bb7d54b680b9719cfab04227cdd1e04e5de3104", - "sha256:0e2642fe3142e4cc4af0799748233ad6da94c62a8bec3a6648bf8ee68b1c7426", - "sha256:173379135477dc8cac4bc58f45db08ab45d228b3363adb7af79436135d028405", - "sha256:198caafb44239b60e252492445da556afafc7d1e3ab7a1fb3f0584ef6d742375", - "sha256:1e74c6b51a9ed6589199c787bf5f9875612ca4a8a0785fb2d4a84429badaf22a", - "sha256:2012c72d854c2d03e45d06ae57f40d78e5770d252f195b93f581acf3ba44496e", - "sha256:21157295583fe8943475029ed5abdcf71eb3911894724e360acff1d61c1d54bc", - "sha256:2470043b93ff09bf8fb1d46d1cb756ce6132c54826661a32d4e4d132e1977adf", - "sha256:285d29981935eb726a4399badae8f0ffdff4f5050eaa6d0cfc3f64b857b77185", - "sha256:30d78fbc8ebf9c92c9b7823ee18eb92f2e6ef79b45ac84db507f52fbe3ec4497", - "sha256:320dab6e7cb2eacdf0e658569d2575c4dad258c0fcc794f46215e1e39f90f2c3", - "sha256:33ab79603146aace82c2427da5ca6e58f2b3f2fb5da893ceac0c42218a40be35", - "sha256:3548db281cd7d2561c9ad9984681c95f7b0e38881201e157833a2342c30d5e8c", - "sha256:3799aecf2e17cf585d977b780ce79ff0dc9b78d799fc694221ce814c2c19db83", - "sha256:39d39875251ca8f612b6f33e6b1195af86d1b3e60086068be9cc053aa4376e21", - "sha256:3b926aa83d1edb5aa5b427b4053dc420ec295a08e40911296b9eb1b6170f6cca", - "sha256:3bcde07039e586f91b45c88f8583ea7cf7a0770df3a1649627bf598332cb6984", - "sha256:3d08afd128ddaa624a48cf2b859afef385b720bb4b43df214f85616922e6a5ac", - "sha256:3eb6971dcff08619f8d91607cfc726518b6fa2a9eba42856be181c6d0d9515fd", - "sha256:40f4774f5a9d4f5e344f31a32b5096977b5d48560c5592e2f3d2c4374bd543ee", - "sha256:4289fc34b2f5316fbb762d75362931e351941fa95fa18789191b33fc4cf9504a", - "sha256:470c103ae716238bbe698d67ad020e1db9d9dba34fa5a899b5e21577e6d52ed2", - "sha256:4f2c9f67e9821cad2e5f480bc8d83b8742896f1242dba247911072d4fa94c192", - "sha256:50a74364d85fd319352182ef59c5c790484a336f6db772c1a9231f1c3ed0cbd7", - "sha256:54a2db7b78338edd780e7ef7f9f6c442500fb0d41a5a4ea24fff1c929d5af585", - "sha256:5635bd9cb9731e6d4a1132a498dd34f764034a8ce60cef4f5319c0541159392f", - "sha256:59c0b02d0a6c384d453fece7566d1c7e6b7bae4fc5874ef2ef46d56776d61c9e", - "sha256:5d598b938678ebf3c67377cdd45e09d431369c3b1a5b331058c338e201f12b27", - "sha256:5df2768244d19ab7f60546d0c7c63ce1581f7af8b5de3eb3004b9b6fc8a9f84b", - "sha256:5ef34d190326c3b1f822a5b7a45f6c4535e2f47ed06fec77d3d799c450b2651e", - "sha256:6975a3fac6bc83c4a65c9f9fcab9e47019a11d3d2cf7f3c0d03431bf145a941e", - "sha256:6c9a799e985904922a4d207a94eae35c78ebae90e128f0c4e521ce339396be9d", - "sha256:70df4e3b545a17496c9b3f41f5115e69a4f2e77e94e1d2a8e1070bc0c38c8a3c", - "sha256:7473e861101c9e72452f9bf8acb984947aa1661a7704553a9f6e4baa5ba64415", - "sha256:8102eaf27e1e448db915d08afa8b41d6c7ca7a04b7d73af6514df10a3e74bd82", - "sha256:87c450779d0914f2861b8526e035c5e6da0a3199d8f1add1a665e1cbc6fc6d02", - "sha256:8b7ee99e510d7b66cdb6c593f21c043c248537a32e0bedf02e01e9553a172314", - "sha256:91fc98adde3d7881af9b59ed0294046f3806221863722ba7d8d120c575314325", - "sha256:94411f22c3985acaec6f83c6df553f2dbe17b698cc7f8ae751ff2237d96b9e3c", - "sha256:98d85c6a2bef81588d9227dde12db8a7f47f639f4a17c9ae08e773aa9c697bf3", - "sha256:9ad5db27f9cabae298d151c85cf2bad1d359a1b9c686a275df03385758e2f914", - "sha256:a0b71b1b8fbf2b96e41c4d990244165e2c9be83d54962a9a1d118fd8657d2045", - "sha256:a0f100c8912c114ff53e1202d0078b425bee3649ae34d7b070e9697f93c5d52d", - "sha256:a591fe9e525846e4d154205572a029f653ada1a78b93697f3b5a8f1f2bc055b9", - "sha256:a5c84c68147988265e60416b57fc83425a78058853509c1b0629c180094904a5", - "sha256:a66d3508133af6e8548451b25058d5812812ec3798c886bf38ed24a98216fab2", - "sha256:a8c4917bd7ad33e8eb21e9a5bbba979b49d9a97acb3a803092cbc1133e20343c", - "sha256:b3bbeb01c2b273cca1e1e0c5df57f12dce9a4dd331b4fa1635b8bec26350bde3", - "sha256:cba9d6b9a7d64d4bd46167096fc9d2f835e25d7e4c121fb2ddfc6528fb0413b2", - "sha256:cc4d65aeeaa04136a12677d3dd0b1c0c94dc43abac5860ab33cceb42b801c1e8", - "sha256:ce4bcc037df4fc5e3d184794f27bdaab018943698f4ca31630bc7f84a7b69c6d", - "sha256:cec7d9412a9102bdc577382c3929b337320c4c4c4849f2c5cdd14d7368c5562d", - "sha256:d400bfb9a37b1351253cb402671cea7e89bdecc294e8016a707f6d1d8ac934f9", - "sha256:d61f4695e6c866a23a21acab0509af1cdfd2c013cf256bbf5b6b5e2695827162", - "sha256:db0fbb9c62743ce59a9ff687eb5f4afbe77e5e8403d6697f7446e5f609976f76", - "sha256:dd86c085fae2efd48ac91dd7ccffcfc0571387fe1193d33b6394db7ef31fe2a4", - "sha256:e00b098126fd45523dd056d2efba6c5a63b71ffe9f2bbe1a4fe1716e1d0c331e", - "sha256:e229a521186c75c8ad9490854fd8bbdd9a0c9aa3a524326b55be83b54d4e0ad9", - "sha256:e263d77ee3dd201c3a142934a086a4450861778baaeeb45db4591ef65550b0a6", - "sha256:ed9cb427ba5504c1dc15ede7d516b84757c3e3d7868ccc85121d9310d27eed0b", - "sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01", - "sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0" - ], - "version": "==1.15.1" + "sha256:0c9ef6ff37e974b73c25eecc13952c55bceed9112be2d9d938ded8e856138bcc", + "sha256:131fd094d1065b19540c3d72594260f118b231090295d8c34e19a7bbcf2e860a", + "sha256:1b8ebc27c014c59692bb2664c7d13ce7a6e9a629be20e54e7271fa696ff2b417", + "sha256:2c56b361916f390cd758a57f2e16233eb4f64bcbeee88a4881ea90fca14dc6ab", + "sha256:2d92b25dbf6cae33f65005baf472d2c245c050b1ce709cc4588cdcdd5495b520", + "sha256:31d13b0f99e0836b7ff893d37af07366ebc90b678b6664c955b54561fc36ef36", + "sha256:32c68ef735dbe5857c810328cb2481e24722a59a2003018885514d4c09af9743", + "sha256:3686dffb02459559c74dd3d81748269ffb0eb027c39a6fc99502de37d501faa8", + "sha256:582215a0e9adbe0e379761260553ba11c58943e4bbe9c36430c4ca6ac74b15ed", + "sha256:5b50bf3f55561dac5438f8e70bfcdfd74543fd60df5fa5f62d94e5867deca684", + "sha256:5bf44d66cdf9e893637896c7faa22298baebcd18d1ddb6d2626a6e39793a1d56", + "sha256:6602bc8dc6f3a9e02b6c22c4fc1e47aa50f8f8e6d3f78a5e16ac33ef5fefa324", + "sha256:673739cb539f8cdaa07d92d02efa93c9ccf87e345b9a0b556e3ecc666718468d", + "sha256:68678abf380b42ce21a5f2abde8efee05c114c2fdb2e9eef2efdb0257fba1235", + "sha256:68e7c44931cc171c54ccb702482e9fc723192e88d25a0e133edd7aff8fcd1f6e", + "sha256:6b3d6606d369fc1da4fd8c357d026317fbb9c9b75d36dc16e90e84c26854b088", + "sha256:748dcd1e3d3d7cd5443ef03ce8685043294ad6bd7c02a38d1bd367cfd968e000", + "sha256:7651c50c8c5ef7bdb41108b7b8c5a83013bfaa8a935590c5d74627c047a583c7", + "sha256:7b78010e7b97fef4bee1e896df8a4bbb6712b7f05b7ef630f9d1da00f6444d2e", + "sha256:7e61e3e4fa664a8588aa25c883eab612a188c725755afff6289454d6362b9673", + "sha256:80876338e19c951fdfed6198e70bc88f1c9758b94578d5a7c4c91a87af3cf31c", + "sha256:8895613bcc094d4a1b2dbe179d88d7fb4a15cee43c052e8885783fac397d91fe", + "sha256:88e2b3c14bdb32e440be531ade29d3c50a1a59cd4e51b1dd8b0865c54ea5d2e2", + "sha256:8f8e709127c6c77446a8c0a8c8bf3c8ee706a06cd44b1e827c3e6a2ee6b8c098", + "sha256:9cb4a35b3642fc5c005a6755a5d17c6c8b6bcb6981baf81cea8bfbc8903e8ba8", + "sha256:9f90389693731ff1f659e55c7d1640e2ec43ff725cc61b04b2f9c6d8d017df6a", + "sha256:a09582f178759ee8128d9270cd1344154fd473bb77d94ce0aeb2a93ebf0feaf0", + "sha256:a6a14b17d7e17fa0d207ac08642c8820f84f25ce17a442fd15e27ea18d67c59b", + "sha256:a72e8961a86d19bdb45851d8f1f08b041ea37d2bd8d4fd19903bc3083d80c896", + "sha256:abd808f9c129ba2beda4cfc53bde801e5bcf9d6e0f22f095e45327c038bfe68e", + "sha256:ac0f5edd2360eea2f1daa9e26a41db02dd4b0451b48f7c318e217ee092a213e9", + "sha256:b29ebffcf550f9da55bec9e02ad430c992a87e5f512cd63388abb76f1036d8d2", + "sha256:b2ca4e77f9f47c55c194982e10f058db063937845bb2b7a86c84a6cfe0aefa8b", + "sha256:b7be2d771cdba2942e13215c4e340bfd76398e9227ad10402a8767ab1865d2e6", + "sha256:b84834d0cf97e7d27dd5b7f3aca7b6e9263c56308ab9dc8aae9784abb774d404", + "sha256:b86851a328eedc692acf81fb05444bdf1891747c25af7529e39ddafaf68a4f3f", + "sha256:bcb3ef43e58665bbda2fb198698fcae6776483e0c4a631aa5647806c25e02cc0", + "sha256:c0f31130ebc2d37cdd8e44605fb5fa7ad59049298b3f745c74fa74c62fbfcfc4", + "sha256:c6a164aa47843fb1b01e941d385aab7215563bb8816d80ff3a363a9f8448a8dc", + "sha256:d8a9d3ebe49f084ad71f9269834ceccbf398253c9fac910c4fd7053ff1386936", + "sha256:db8e577c19c0fda0beb7e0d4e09e0ba74b1e4c092e0e40bfa12fe05b6f6d75ba", + "sha256:dc9b18bf40cc75f66f40a7379f6a9513244fe33c0e8aa72e2d56b0196a7ef872", + "sha256:e09f3ff613345df5e8c3667da1d918f9149bd623cd9070c983c013792a9a62eb", + "sha256:e4108df7fe9b707191e55f33efbcb2d81928e10cea45527879a4749cbe472614", + "sha256:e6024675e67af929088fda399b2094574609396b1decb609c55fa58b028a32a1", + "sha256:e70f54f1796669ef691ca07d046cd81a29cb4deb1e5f942003f401c0c4a2695d", + "sha256:e715596e683d2ce000574bae5d07bd522c781a822866c20495e52520564f0969", + "sha256:e760191dd42581e023a68b758769e2da259b5d52e3103c6060ddc02c9edb8d7b", + "sha256:ed86a35631f7bfbb28e108dd96773b9d5a6ce4811cf6ea468bb6a359b256b1e4", + "sha256:ee07e47c12890ef248766a6e55bd38ebfb2bb8edd4142d56db91b21ea68b7627", + "sha256:fa3a0128b152627161ce47201262d3140edb5a5c3da88d73a1b790a959126956", + "sha256:fcc8eb6d5902bb1cf6dc4f187ee3ea80a1eba0a89aba40a5cb20a5087d961357" + ], + "markers": "python_version >= '3.8'", + "version": "==1.16.0" }, "charset-normalizer": { "hashes": [ - "sha256:04e57ab9fbf9607b77f7d057974694b4f6b142da9ed4a199859d9d4d5c63fe96", - "sha256:09393e1b2a9461950b1c9a45d5fd251dc7c6f228acab64da1c9c0165d9c7765c", - "sha256:0b87549028f680ca955556e3bd57013ab47474c3124dc069faa0b6545b6c9710", - "sha256:1000fba1057b92a65daec275aec30586c3de2401ccdcd41f8a5c1e2c87078706", - "sha256:1249cbbf3d3b04902ff081ffbb33ce3377fa6e4c7356f759f3cd076cc138d020", - "sha256:1920d4ff15ce893210c1f0c0e9d19bfbecb7983c76b33f046c13a8ffbd570252", - "sha256:193cbc708ea3aca45e7221ae58f0fd63f933753a9bfb498a3b474878f12caaad", - "sha256:1a100c6d595a7f316f1b6f01d20815d916e75ff98c27a01ae817439ea7726329", - "sha256:1f30b48dd7fa1474554b0b0f3fdfdd4c13b5c737a3c6284d3cdc424ec0ffff3a", - "sha256:203f0c8871d5a7987be20c72442488a0b8cfd0f43b7973771640fc593f56321f", - "sha256:246de67b99b6851627d945db38147d1b209a899311b1305dd84916f2b88526c6", - "sha256:2dee8e57f052ef5353cf608e0b4c871aee320dd1b87d351c28764fc0ca55f9f4", - "sha256:2efb1bd13885392adfda4614c33d3b68dee4921fd0ac1d3988f8cbb7d589e72a", - "sha256:2f4ac36d8e2b4cc1aa71df3dd84ff8efbe3bfb97ac41242fbcfc053c67434f46", - "sha256:3170c9399da12c9dc66366e9d14da8bf7147e1e9d9ea566067bbce7bb74bd9c2", - "sha256:3b1613dd5aee995ec6d4c69f00378bbd07614702a315a2cf6c1d21461fe17c23", - "sha256:3bb3d25a8e6c0aedd251753a79ae98a093c7e7b471faa3aa9a93a81431987ace", - "sha256:3bb7fda7260735efe66d5107fb7e6af6a7c04c7fce9b2514e04b7a74b06bf5dd", - "sha256:41b25eaa7d15909cf3ac4c96088c1f266a9a93ec44f87f1d13d4a0e86c81b982", - "sha256:45de3f87179c1823e6d9e32156fb14c1927fcc9aba21433f088fdfb555b77c10", - "sha256:46fb8c61d794b78ec7134a715a3e564aafc8f6b5e338417cb19fe9f57a5a9bf2", - "sha256:48021783bdf96e3d6de03a6e39a1171ed5bd7e8bb93fc84cc649d11490f87cea", - "sha256:4957669ef390f0e6719db3613ab3a7631e68424604a7b448f079bee145da6e09", - "sha256:5e86d77b090dbddbe78867a0275cb4df08ea195e660f1f7f13435a4649e954e5", - "sha256:6339d047dab2780cc6220f46306628e04d9750f02f983ddb37439ca47ced7149", - "sha256:681eb3d7e02e3c3655d1b16059fbfb605ac464c834a0c629048a30fad2b27489", - "sha256:6c409c0deba34f147f77efaa67b8e4bb83d2f11c8806405f76397ae5b8c0d1c9", - "sha256:7095f6fbfaa55defb6b733cfeb14efaae7a29f0b59d8cf213be4e7ca0b857b80", - "sha256:70c610f6cbe4b9fce272c407dd9d07e33e6bf7b4aa1b7ffb6f6ded8e634e3592", - "sha256:72814c01533f51d68702802d74f77ea026b5ec52793c791e2da806a3844a46c3", - "sha256:7a4826ad2bd6b07ca615c74ab91f32f6c96d08f6fcc3902ceeedaec8cdc3bcd6", - "sha256:7c70087bfee18a42b4040bb9ec1ca15a08242cf5867c58726530bdf3945672ed", - "sha256:855eafa5d5a2034b4621c74925d89c5efef61418570e5ef9b37717d9c796419c", - "sha256:8700f06d0ce6f128de3ccdbc1acaea1ee264d2caa9ca05daaf492fde7c2a7200", - "sha256:89f1b185a01fe560bc8ae5f619e924407efca2191b56ce749ec84982fc59a32a", - "sha256:8b2c760cfc7042b27ebdb4a43a4453bd829a5742503599144d54a032c5dc7e9e", - "sha256:8c2f5e83493748286002f9369f3e6607c565a6a90425a3a1fef5ae32a36d749d", - "sha256:8e098148dd37b4ce3baca71fb394c81dc5d9c7728c95df695d2dca218edf40e6", - "sha256:94aea8eff76ee6d1cdacb07dd2123a68283cb5569e0250feab1240058f53b623", - "sha256:95eb302ff792e12aba9a8b8f8474ab229a83c103d74a750ec0bd1c1eea32e669", - "sha256:9bd9b3b31adcb054116447ea22caa61a285d92e94d710aa5ec97992ff5eb7cf3", - "sha256:9e608aafdb55eb9f255034709e20d5a83b6d60c054df0802fa9c9883d0a937aa", - "sha256:a103b3a7069b62f5d4890ae1b8f0597618f628b286b03d4bc9195230b154bfa9", - "sha256:a386ebe437176aab38c041de1260cd3ea459c6ce5263594399880bbc398225b2", - "sha256:a38856a971c602f98472050165cea2cdc97709240373041b69030be15047691f", - "sha256:a401b4598e5d3f4a9a811f3daf42ee2291790c7f9d74b18d75d6e21dda98a1a1", - "sha256:a7647ebdfb9682b7bb97e2a5e7cb6ae735b1c25008a70b906aecca294ee96cf4", - "sha256:aaf63899c94de41fe3cf934601b0f7ccb6b428c6e4eeb80da72c58eab077b19a", - "sha256:b0dac0ff919ba34d4df1b6131f59ce95b08b9065233446be7e459f95554c0dc8", - "sha256:baacc6aee0b2ef6f3d308e197b5d7a81c0e70b06beae1f1fcacffdbd124fe0e3", - "sha256:bf420121d4c8dce6b889f0e8e4ec0ca34b7f40186203f06a946fa0276ba54029", - "sha256:c04a46716adde8d927adb9457bbe39cf473e1e2c2f5d0a16ceb837e5d841ad4f", - "sha256:c0b21078a4b56965e2b12f247467b234734491897e99c1d51cee628da9786959", - "sha256:c1c76a1743432b4b60ab3358c937a3fe1341c828ae6194108a94c69028247f22", - "sha256:c4983bf937209c57240cff65906b18bb35e64ae872da6a0db937d7b4af845dd7", - "sha256:c4fb39a81950ec280984b3a44f5bd12819953dc5fa3a7e6fa7a80db5ee853952", - "sha256:c57921cda3a80d0f2b8aec7e25c8aa14479ea92b5b51b6876d975d925a2ea346", - "sha256:c8063cf17b19661471ecbdb3df1c84f24ad2e389e326ccaf89e3fb2484d8dd7e", - "sha256:ccd16eb18a849fd8dcb23e23380e2f0a354e8daa0c984b8a732d9cfaba3a776d", - "sha256:cd6dbe0238f7743d0efe563ab46294f54f9bc8f4b9bcf57c3c666cc5bc9d1299", - "sha256:d62e51710986674142526ab9f78663ca2b0726066ae26b78b22e0f5e571238dd", - "sha256:db901e2ac34c931d73054d9797383d0f8009991e723dab15109740a63e7f902a", - "sha256:e03b8895a6990c9ab2cdcd0f2fe44088ca1c65ae592b8f795c3294af00a461c3", - "sha256:e1c8a2f4c69e08e89632defbfabec2feb8a8d99edc9f89ce33c4b9e36ab63037", - "sha256:e4b749b9cc6ee664a3300bb3a273c1ca8068c46be705b6c31cf5d276f8628a94", - "sha256:e6a5bf2cba5ae1bb80b154ed68a3cfa2fa00fde979a7f50d6598d3e17d9ac20c", - "sha256:e857a2232ba53ae940d3456f7533ce6ca98b81917d47adc3c7fd55dad8fab858", - "sha256:ee4006268ed33370957f55bf2e6f4d263eaf4dc3cfc473d1d90baff6ed36ce4a", - "sha256:eef9df1eefada2c09a5e7a40991b9fc6ac6ef20b1372abd48d2794a316dc0449", - "sha256:f058f6963fd82eb143c692cecdc89e075fa0828db2e5b291070485390b2f1c9c", - "sha256:f25c229a6ba38a35ae6e25ca1264621cc25d4d38dca2942a7fce0b67a4efe918", - "sha256:f2a1d0fd4242bd8643ce6f98927cf9c04540af6efa92323e9d3124f57727bfc1", - "sha256:f7560358a6811e52e9c4d142d497f1a6e10103d3a6881f18d04dbce3729c0e2c", - "sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac", - "sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa" - ], - "index": "pypi", - "version": "==3.2.0" + "sha256:02673e456dc5ab13659f85196c534dc596d4ef260e4d86e856c3b2773ce09843", + "sha256:02af06682e3590ab952599fbadac535ede5d60d78848e555aa58d0c0abbde786", + "sha256:03680bb39035fbcffe828eae9c3f8afc0428c91d38e7d61aa992ef7a59fb120e", + "sha256:0570d21da019941634a531444364f2482e8db0b3425fcd5ac0c36565a64142c8", + "sha256:09c77f964f351a7369cc343911e0df63e762e42bac24cd7d18525961c81754f4", + "sha256:0d3d5b7db9ed8a2b11a774db2bbea7ba1884430a205dbd54a32d61d7c2a190fa", + "sha256:1063da2c85b95f2d1a430f1c33b55c9c17ffaf5e612e10aeaad641c55a9e2b9d", + "sha256:12ebea541c44fdc88ccb794a13fe861cc5e35d64ed689513a5c03d05b53b7c82", + "sha256:153e7b6e724761741e0974fc4dcd406d35ba70b92bfe3fedcb497226c93b9da7", + "sha256:15b26ddf78d57f1d143bdf32e820fd8935d36abe8a25eb9ec0b5a71c82eb3895", + "sha256:1872d01ac8c618a8da634e232f24793883d6e456a66593135aeafe3784b0848d", + "sha256:187d18082694a29005ba2944c882344b6748d5be69e3a89bf3cc9d878e548d5a", + "sha256:1b2919306936ac6efb3aed1fbf81039f7087ddadb3160882a57ee2ff74fd2382", + "sha256:232ac332403e37e4a03d209a3f92ed9071f7d3dbda70e2a5e9cff1c4ba9f0678", + "sha256:23e8565ab7ff33218530bc817922fae827420f143479b753104ab801145b1d5b", + "sha256:24817cb02cbef7cd499f7c9a2735286b4782bd47a5b3516a0e84c50eab44b98e", + "sha256:249c6470a2b60935bafd1d1d13cd613f8cd8388d53461c67397ee6a0f5dce741", + "sha256:24a91a981f185721542a0b7c92e9054b7ab4fea0508a795846bc5b0abf8118d4", + "sha256:2502dd2a736c879c0f0d3e2161e74d9907231e25d35794584b1ca5284e43f596", + "sha256:250c9eb0f4600361dd80d46112213dff2286231d92d3e52af1e5a6083d10cad9", + "sha256:278c296c6f96fa686d74eb449ea1697f3c03dc28b75f873b65b5201806346a69", + "sha256:2935ffc78db9645cb2086c2f8f4cfd23d9b73cc0dc80334bc30aac6f03f68f8c", + "sha256:2f4a0033ce9a76e391542c182f0d48d084855b5fcba5010f707c8e8c34663d77", + "sha256:30a85aed0b864ac88309b7d94be09f6046c834ef60762a8833b660139cfbad13", + "sha256:380c4bde80bce25c6e4f77b19386f5ec9db230df9f2f2ac1e5ad7af2caa70459", + "sha256:3ae38d325b512f63f8da31f826e6cb6c367336f95e418137286ba362925c877e", + "sha256:3b447982ad46348c02cb90d230b75ac34e9886273df3a93eec0539308a6296d7", + "sha256:3debd1150027933210c2fc321527c2299118aa929c2f5a0a80ab6953e3bd1908", + "sha256:4162918ef3098851fcd8a628bf9b6a98d10c380725df9e04caf5ca6dd48c847a", + "sha256:468d2a840567b13a590e67dd276c570f8de00ed767ecc611994c301d0f8c014f", + "sha256:4cc152c5dd831641e995764f9f0b6589519f6f5123258ccaca8c6d34572fefa8", + "sha256:542da1178c1c6af8873e143910e2269add130a299c9106eef2594e15dae5e482", + "sha256:557b21a44ceac6c6b9773bc65aa1b4cc3e248a5ad2f5b914b91579a32e22204d", + "sha256:5707a746c6083a3a74b46b3a631d78d129edab06195a92a8ece755aac25a3f3d", + "sha256:588245972aca710b5b68802c8cad9edaa98589b1b42ad2b53accd6910dad3545", + "sha256:5adf257bd58c1b8632046bbe43ee38c04e1038e9d37de9c57a94d6bd6ce5da34", + "sha256:619d1c96099be5823db34fe89e2582b336b5b074a7f47f819d6b3a57ff7bdb86", + "sha256:63563193aec44bce707e0c5ca64ff69fa72ed7cf34ce6e11d5127555756fd2f6", + "sha256:67b8cc9574bb518ec76dc8e705d4c39ae78bb96237cb533edac149352c1f39fe", + "sha256:6a685067d05e46641d5d1623d7c7fdf15a357546cbb2f71b0ebde91b175ffc3e", + "sha256:70f1d09c0d7748b73290b29219e854b3207aea922f839437870d8cc2168e31cc", + "sha256:750b446b2ffce1739e8578576092179160f6d26bd5e23eb1789c4d64d5af7dc7", + "sha256:7966951325782121e67c81299a031f4c115615e68046f79b85856b86ebffc4cd", + "sha256:7b8b8bf1189b3ba9b8de5c8db4d541b406611a71a955bbbd7385bbc45fcb786c", + "sha256:7f5d10bae5d78e4551b7be7a9b29643a95aded9d0f602aa2ba584f0388e7a557", + "sha256:805dfea4ca10411a5296bcc75638017215a93ffb584c9e344731eef0dcfb026a", + "sha256:81bf654678e575403736b85ba3a7867e31c2c30a69bc57fe88e3ace52fb17b89", + "sha256:82eb849f085624f6a607538ee7b83a6d8126df6d2f7d3b319cb837b289123078", + "sha256:85a32721ddde63c9df9ebb0d2045b9691d9750cb139c161c80e500d210f5e26e", + "sha256:86d1f65ac145e2c9ed71d8ffb1905e9bba3a91ae29ba55b4c46ae6fc31d7c0d4", + "sha256:86f63face3a527284f7bb8a9d4f78988e3c06823f7bea2bd6f0e0e9298ca0403", + "sha256:8eaf82f0eccd1505cf39a45a6bd0a8cf1c70dcfc30dba338207a969d91b965c0", + "sha256:93aa7eef6ee71c629b51ef873991d6911b906d7312c6e8e99790c0f33c576f89", + "sha256:96c2b49eb6a72c0e4991d62406e365d87067ca14c1a729a870d22354e6f68115", + "sha256:9cf3126b85822c4e53aa28c7ec9869b924d6fcfb76e77a45c44b83d91afd74f9", + "sha256:9fe359b2e3a7729010060fbca442ca225280c16e923b37db0e955ac2a2b72a05", + "sha256:a0ac5e7015a5920cfce654c06618ec40c33e12801711da6b4258af59a8eff00a", + "sha256:a3f93dab657839dfa61025056606600a11d0b696d79386f974e459a3fbc568ec", + "sha256:a4b71f4d1765639372a3b32d2638197f5cd5221b19531f9245fcc9ee62d38f56", + "sha256:aae32c93e0f64469f74ccc730a7cb21c7610af3a775157e50bbd38f816536b38", + "sha256:aaf7b34c5bc56b38c931a54f7952f1ff0ae77a2e82496583b247f7c969eb1479", + "sha256:abecce40dfebbfa6abf8e324e1860092eeca6f7375c8c4e655a8afb61af58f2c", + "sha256:abf0d9f45ea5fb95051c8bfe43cb40cda383772f7e5023a83cc481ca2604d74e", + "sha256:ac71b2977fb90c35d41c9453116e283fac47bb9096ad917b8819ca8b943abecd", + "sha256:ada214c6fa40f8d800e575de6b91a40d0548139e5dc457d2ebb61470abf50186", + "sha256:b09719a17a2301178fac4470d54b1680b18a5048b481cb8890e1ef820cb80455", + "sha256:b1121de0e9d6e6ca08289583d7491e7fcb18a439305b34a30b20d8215922d43c", + "sha256:b3b2316b25644b23b54a6f6401074cebcecd1244c0b8e80111c9a3f1c8e83d65", + "sha256:b3d9b48ee6e3967b7901c052b670c7dda6deb812c309439adaffdec55c6d7b78", + "sha256:b5bcf60a228acae568e9911f410f9d9e0d43197d030ae5799e20dca8df588287", + "sha256:b8f3307af845803fb0b060ab76cf6dd3a13adc15b6b451f54281d25911eb92df", + "sha256:c2af80fb58f0f24b3f3adcb9148e6203fa67dd3f61c4af146ecad033024dde43", + "sha256:c350354efb159b8767a6244c166f66e67506e06c8924ed74669b2c70bc8735b1", + "sha256:c5a74c359b2d47d26cdbbc7845e9662d6b08a1e915eb015d044729e92e7050b7", + "sha256:c71f16da1ed8949774ef79f4a0260d28b83b3a50c6576f8f4f0288d109777989", + "sha256:d47ecf253780c90ee181d4d871cd655a789da937454045b17b5798da9393901a", + "sha256:d7eff0f27edc5afa9e405f7165f85a6d782d308f3b6b9d96016c010597958e63", + "sha256:d97d85fa63f315a8bdaba2af9a6a686e0eceab77b3089af45133252618e70884", + "sha256:db756e48f9c5c607b5e33dd36b1d5872d0422e960145b08ab0ec7fd420e9d649", + "sha256:dc45229747b67ffc441b3de2f3ae5e62877a282ea828a5bdb67883c4ee4a8810", + "sha256:e0fc42822278451bc13a2e8626cf2218ba570f27856b536e00cfa53099724828", + "sha256:e39c7eb31e3f5b1f88caff88bcff1b7f8334975b46f6ac6e9fc725d829bc35d4", + "sha256:e46cd37076971c1040fc8c41273a8b3e2c624ce4f2be3f5dfcb7a430c1d3acc2", + "sha256:e5c1502d4ace69a179305abb3f0bb6141cbe4714bc9b31d427329a95acfc8bdd", + "sha256:edfe077ab09442d4ef3c52cb1f9dab89bff02f4524afc0acf2d46be17dc479f5", + "sha256:effe5406c9bd748a871dbcaf3ac69167c38d72db8c9baf3ff954c344f31c4cbe", + "sha256:f0d1e3732768fecb052d90d62b220af62ead5748ac51ef61e7b32c266cac9293", + "sha256:f5969baeaea61c97efa706b9b107dcba02784b1601c74ac84f2a532ea079403e", + "sha256:f8888e31e3a85943743f8fc15e71536bda1c81d5aa36d014a3c0c44481d7db6e", + "sha256:fc52b79d83a3fe3a360902d3f5d79073a993597d48114c29485e9431092905d8" + ], + "index": "pypi", + "markers": "python_full_version >= '3.7.0'", + "version": "==3.3.0" }, "click": { "hashes": [ @@ -407,6 +412,7 @@ "sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==8.1.7" }, "click-option-group": { @@ -423,6 +429,7 @@ "sha256:afa27770d97720dc4bddb3c11f50bd287f1ab1fdd908538e896e23c70a0d9c5f" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==0.6.1" }, "colorama": { @@ -431,6 +438,7 @@ "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6" ], "index": "pypi", + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6'", "version": "==0.4.6" }, "configargparse": { @@ -439,6 +447,7 @@ "sha256:e7067471884de5478c58a511e529f0f9bd1c66bfef1dea90935438d6c23306d1" ], "index": "pypi", + "markers": "python_version >= '3.5'", "version": "==1.7" }, "contextlib2": { @@ -455,6 +464,7 @@ "sha256:8981ca462fba91469c268d684a03f72c89c7a807674d884f83a28d8c2822a9b6" ], "index": "pypi", + "markers": "python_version >= '3.6' and python_version < '4.0'", "version": "==3.1.5" }, "decorator": { @@ -465,20 +475,13 @@ "markers": "python_version >= '3.5'", "version": "==5.1.1" }, - "deep-merge": { - "hashes": [ - "sha256:8056b4b43c6dfddf5c7b1feb3a09f1ab1cbd74e8382e43736ea8c5619e8e5a4e", - "sha256:b54415f90934c42e334114e2864cb4d4e7335b34ad396e35ad8610c96065a47e" - ], - "index": "pypi", - "version": "==0.0.4" - }, "docker": { "hashes": [ "sha256:aa6d17830045ba5ef0168d5eaa34d37beeb113948c413affe1d5991fc11f9a20", "sha256:aecd2277b8bf8e506e484f6ab7aec39abe0038e29fa4a6d3ba86c3fe01844ed9" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==6.1.3" }, "dockerfile-parse": { @@ -487,6 +490,7 @@ "sha256:bdffd126d2eb26acf1066acb54cb2e336682e1d72b974a40894fac76a4df17f6" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==2.0.1" }, "dpath": { @@ -495,87 +499,75 @@ "sha256:d9560e03ccd83b3c6f29988b0162ce9b34fd28b9d8dbda46663b20c68d9cdae3" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==2.1.3" }, "frozenlist": { "hashes": [ - "sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c", - "sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f", - "sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a", - "sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784", - "sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27", - "sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d", - "sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3", - "sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678", - "sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a", - "sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483", - "sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8", - "sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf", - "sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99", - "sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c", - "sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48", - "sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5", - "sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56", - "sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e", - "sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1", - "sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401", - "sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4", - "sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e", - "sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649", - "sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a", - "sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d", - "sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0", - "sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6", - "sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d", - "sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b", - "sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6", - "sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf", - "sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef", - "sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7", - "sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842", - "sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba", - "sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420", - "sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b", - "sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d", - "sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332", - "sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936", - "sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816", - "sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91", - "sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420", - "sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448", - "sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411", - "sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4", - "sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32", - "sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b", - "sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0", - "sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530", - "sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669", - "sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7", - "sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1", - "sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5", - "sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce", - "sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4", - "sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e", - "sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2", - "sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d", - "sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9", - "sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642", - "sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0", - "sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703", - "sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb", - "sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1", - "sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13", - "sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab", - "sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38", - "sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb", - "sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb", - "sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81", - "sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8", - "sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd", - "sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4" - ], - "markers": "python_version >= '3.7'", - "version": "==1.3.3" + "sha256:007df07a6e3eb3e33e9a1fe6a9db7af152bbd8a185f9aaa6ece10a3529e3e1c6", + "sha256:008eb8b31b3ea6896da16c38c1b136cb9fec9e249e77f6211d479db79a4eaf01", + "sha256:09163bdf0b2907454042edb19f887c6d33806adc71fbd54afc14908bfdc22251", + "sha256:0c7c1b47859ee2cac3846fde1c1dc0f15da6cec5a0e5c72d101e0f83dcb67ff9", + "sha256:0e5c8764c7829343d919cc2dfc587a8db01c4f70a4ebbc49abde5d4b158b007b", + "sha256:10ff5faaa22786315ef57097a279b833ecab1a0bfb07d604c9cbb1c4cdc2ed87", + "sha256:17ae5cd0f333f94f2e03aaf140bb762c64783935cc764ff9c82dff626089bebf", + "sha256:19488c57c12d4e8095a922f328df3f179c820c212940a498623ed39160bc3c2f", + "sha256:1a0848b52815006ea6596c395f87449f693dc419061cc21e970f139d466dc0a0", + "sha256:1e78fb68cf9c1a6aa4a9a12e960a5c9dfbdb89b3695197aa7064705662515de2", + "sha256:261b9f5d17cac914531331ff1b1d452125bf5daa05faf73b71d935485b0c510b", + "sha256:2b8bcf994563466db019fab287ff390fffbfdb4f905fc77bc1c1d604b1c689cc", + "sha256:38461d02d66de17455072c9ba981d35f1d2a73024bee7790ac2f9e361ef1cd0c", + "sha256:490132667476f6781b4c9458298b0c1cddf237488abd228b0b3650e5ecba7467", + "sha256:491e014f5c43656da08958808588cc6c016847b4360e327a62cb308c791bd2d9", + "sha256:515e1abc578dd3b275d6a5114030b1330ba044ffba03f94091842852f806f1c1", + "sha256:556de4430ce324c836789fa4560ca62d1591d2538b8ceb0b4f68fb7b2384a27a", + "sha256:5833593c25ac59ede40ed4de6d67eb42928cca97f26feea219f21d0ed0959b79", + "sha256:6221d84d463fb110bdd7619b69cb43878a11d51cbb9394ae3105d082d5199167", + "sha256:6918d49b1f90821e93069682c06ffde41829c346c66b721e65a5c62b4bab0300", + "sha256:6c38721585f285203e4b4132a352eb3daa19121a035f3182e08e437cface44bf", + "sha256:71932b597f9895f011f47f17d6428252fc728ba2ae6024e13c3398a087c2cdea", + "sha256:7211ef110a9194b6042449431e08c4d80c0481e5891e58d429df5899690511c2", + "sha256:764226ceef3125e53ea2cb275000e309c0aa5464d43bd72abd661e27fffc26ab", + "sha256:7645a8e814a3ee34a89c4a372011dcd817964ce8cb273c8ed6119d706e9613e3", + "sha256:76d4711f6f6d08551a7e9ef28c722f4a50dd0fc204c56b4bcd95c6cc05ce6fbb", + "sha256:7f4f399d28478d1f604c2ff9119907af9726aed73680e5ed1ca634d377abb087", + "sha256:88f7bc0fcca81f985f78dd0fa68d2c75abf8272b1f5c323ea4a01a4d7a614efc", + "sha256:8d0edd6b1c7fb94922bf569c9b092ee187a83f03fb1a63076e7774b60f9481a8", + "sha256:901289d524fdd571be1c7be054f48b1f88ce8dddcbdf1ec698b27d4b8b9e5d62", + "sha256:93ea75c050c5bb3d98016b4ba2497851eadf0ac154d88a67d7a6816206f6fa7f", + "sha256:981b9ab5a0a3178ff413bca62526bb784249421c24ad7381e39d67981be2c326", + "sha256:9ac08e601308e41eb533f232dbf6b7e4cea762f9f84f6357136eed926c15d12c", + "sha256:a02eb8ab2b8f200179b5f62b59757685ae9987996ae549ccf30f983f40602431", + "sha256:a0c6da9aee33ff0b1a451e867da0c1f47408112b3391dd43133838339e410963", + "sha256:a6c8097e01886188e5be3e6b14e94ab365f384736aa1fca6a0b9e35bd4a30bc7", + "sha256:aa384489fefeb62321b238e64c07ef48398fe80f9e1e6afeff22e140e0850eef", + "sha256:ad2a9eb6d9839ae241701d0918f54c51365a51407fd80f6b8289e2dfca977cc3", + "sha256:b206646d176a007466358aa21d85cd8600a415c67c9bd15403336c331a10d956", + "sha256:b826d97e4276750beca7c8f0f1a4938892697a6bcd8ec8217b3312dad6982781", + "sha256:b89ac9768b82205936771f8d2eb3ce88503b1556324c9f903e7156669f521472", + "sha256:bd7bd3b3830247580de99c99ea2a01416dfc3c34471ca1298bccabf86d0ff4dc", + "sha256:bdf1847068c362f16b353163391210269e4f0569a3c166bc6a9f74ccbfc7e839", + "sha256:c11b0746f5d946fecf750428a95f3e9ebe792c1ee3b1e96eeba145dc631a9672", + "sha256:c5374b80521d3d3f2ec5572e05adc94601985cc526fb276d0c8574a6d749f1b3", + "sha256:ca265542ca427bf97aed183c1676e2a9c66942e822b14dc6e5f42e038f92a503", + "sha256:ce31ae3e19f3c902de379cf1323d90c649425b86de7bbdf82871b8a2a0615f3d", + "sha256:ceb6ec0a10c65540421e20ebd29083c50e6d1143278746a4ef6bcf6153171eb8", + "sha256:d081f13b095d74b67d550de04df1c756831f3b83dc9881c38985834387487f1b", + "sha256:d5655a942f5f5d2c9ed93d72148226d75369b4f6952680211972a33e59b1dfdc", + "sha256:d5a32087d720c608f42caed0ef36d2b3ea61a9d09ee59a5142d6070da9041b8f", + "sha256:d6484756b12f40003c6128bfcc3fa9f0d49a687e171186c2d85ec82e3758c559", + "sha256:dd65632acaf0d47608190a71bfe46b209719bf2beb59507db08ccdbe712f969b", + "sha256:de343e75f40e972bae1ef6090267f8260c1446a1695e77096db6cfa25e759a95", + "sha256:e29cda763f752553fa14c68fb2195150bfab22b352572cb36c43c47bedba70eb", + "sha256:e41f3de4df3e80de75845d3e743b3f1c4c8613c3997a912dbf0229fc61a8b963", + "sha256:e66d2a64d44d50d2543405fb183a21f76b3b5fd16f130f5c99187c3fb4e64919", + "sha256:e74b0506fa5aa5598ac6a975a12aa8928cbb58e1f5ac8360792ef15de1aa848f", + "sha256:f0ed05f5079c708fe74bf9027e95125334b6978bf07fd5ab923e9e55e5fbb9d3", + "sha256:f61e2dc5ad442c52b4887f1fdc112f97caeff4d9e6ebe78879364ac59f1663e1", + "sha256:fec520865f42e5c7f050c2a79038897b1c7d1595e907a9e08e3353293ffc948e" + ], + "markers": "python_version >= '3.8'", + "version": "==1.4.0" }, "gitdb": { "hashes": [ @@ -587,11 +579,12 @@ }, "gitpython": { "hashes": [ - "sha256:5d3802b98a3bae1c2b8ae0e1ff2e4aa16bcdf02c145da34d092324f599f01395", - "sha256:85f7d365d1f6bf677ae51039c1ef67ca59091c7ebd5a3509aa399d4eda02d6dd" + "sha256:5f4c4187de49616d710a77e98ddf17b4782060a1788df441846bddefbb89ab33", + "sha256:f9b9ddc0761c125d5780eab2d64be4873fc6817c2899cbcb34b02344bdc7bc54" ], "index": "pypi", - "version": "==3.1.34" + "markers": "python_version >= '3.7'", + "version": "==3.1.37" }, "idna": { "hashes": [ @@ -603,75 +596,77 @@ }, "igraph": { "hashes": [ - "sha256:053cdff880e46dca5a754777a5b2d68e904e82e831c6eb8ba7fdaed8d004a888", - "sha256:06ca4879236cbb52dd33ddb8e5d562b387f91607fe2bc5f277054778560448c2", - "sha256:0a753a48f96c48d01944221f189b989a03151f6e0e37862675248612e45ddd18", - "sha256:169d7f1f8f1a39d1fa965dba0cab69b0d03de4b5e3272b196c60c3104a7e2735", - "sha256:1a21dae12de610474b5b64f92822f3da4af2cedd60413b56aa55cc165dc0c763", - "sha256:1a3dcf7b23e05dc7b1cf258bd82a52ed9a71e36ccc091480475bfe210ab60a17", - "sha256:1deb496ccf6a71d07f4952e05b6aea3dd10e18abae9aadcbfd88f640cc804fa1", - "sha256:26ae1fe7e4e55a851cdffcd302d9ad530303e47676424ee422dbede7450f948f", - "sha256:2913d91d9aeae107295fe238e1fe73d1150fca51b4e863c0442904dfb36f0d5a", - "sha256:3296e013c695488c313daa218aa5861dcd3623f298935f2f6f48b2bf1e65e5d0", - "sha256:3bb368af87b5ea1877baf0cc337e6d83bb688f1f81c9f75973da92c30a4106c3", - "sha256:3e93a2d6ac310d8f6b258aa659f1e2c36ed6a5c2982f79425e33a0d370df95c6", - "sha256:409f377ea828d73bdf8da1e8372492db570efea765508eb091ec827492604ab7", - "sha256:434f71859d39bfe7285c1ff02486492cf0d9236e50d2b0efd3f3fb316f106ebe", - "sha256:47637170741eb48550a18dc1072d354476866a3d6bc30b260a23acc04d15168f", - "sha256:4c743703ff6a9907deddf3f15ddb7a4e0d525a0055e5cf29ac2143b865fdf6c2", - "sha256:4f1a33d7bf8ebaaa0f6401db437e23c3fe90b13c042897fa6123e0cf63605149", - "sha256:521e9a1ab869d65cdc7713f2649794e8076c2d6b210dcad37ac6bcaffaf858de", - "sha256:527319db746f22adefba3ccbe1e7fba485edd14339af7c953e34e329f04d423f", - "sha256:53c0d0000f57c920549626b48e4b81685c268795df3657251763e50b83e8dac5", - "sha256:547f5e815063e68acd1efedf31ccb3f204a7d6e80fdddd96cb18b11610744912", - "sha256:6142060215c7bc5007f65ceffaa2ae1d84d0ef45bd9cbe8bc0670380200beb0f", - "sha256:62a39bcebfe863c607642e110c4846de9631caa4ce1c6e2e11fae9b1d66904dd", - "sha256:69d21b26599c86c6b937138280b13306f9b4e380498cc13896c603985c5ee80a", - "sha256:71a03c57550066a5cbf6fc6621d470fbf4abcf33ecb975a21e13e09cf45b965b", - "sha256:76f7aad294514412f835366a7d9a9c1e7a34c3e6ef0a6c3a1a835234323228e8", - "sha256:7e737d4946e30bf561272a394d3c35181d453ab605a9650812200510b92b58b8", - "sha256:7edef14bed493d104213e95a21252f6ac9374fb1383966244c9fb3c615927317", - "sha256:81c4809ae45406cb81f985b643d8c9516c0394fa5f0aabe9a617f6506501c97e", - "sha256:81fbd93bbe81127aa98247a777a4eb2902443079254696d5aaa0a146cff88663", - "sha256:82bacc57b40e6f2f1e7550073a283af38ed1ca9654f68796376eea1413988768", - "sha256:868b558ca3d3363e0864246c20a9e937f849125103bd5e1e45e5f233121c1632", - "sha256:936c681b3d6c507f3d1008c37d7ce6ef570d0ad932a94af1d512609da72a8ec1", - "sha256:95b1b02a3d0c321339f2ed7283f37a22591c3b6a084393748369d5815aafe0a9", - "sha256:96cdb8fdd9be3e4bd741b71436286f011f39bf7477cf7406d0d5ad9afa55f812", - "sha256:a1cc73149e5ae448054c04050e5cfcdd9d886f72883ec9ca11185e16f62df2b1", - "sha256:a4d88c6b392e70d1e8b9fb7747b545c9837b0232105ace379e63a6b08d987f23", - "sha256:ad8a9245d1d27f50003c387105a52a9794b070fcc448f23fd58f7288126500ea", - "sha256:b3e038f78324e138869358bf17f9e57bcd665f7ddf6ed4b5f83fcbfc782f5059", - "sha256:b40da28b2ed1b35d24794996ff38ed3292ddaeea8cbeb48da146df0bf32021ae", - "sha256:c08023eb9a3df384e5d8285ec8a60d0e5c1738c6d139a0b51ac5da024538d466", - "sha256:c21f39fd40f7a0534442cb52e7dc07ee59aad4e52238a3b1c5fcb76f880d9648", - "sha256:ca05a065108d126771d4867c1e6867fdc340f86f9634978de1326aa2de782138", - "sha256:d1a935f7cb7a7490eef225bb5072ba3208cddf4a26aab9395f21a5a6082ed48f", - "sha256:da6009f347bdf14191bb65352a9eb5b1e2ba9014d928306b60b460dc549d21c8", - "sha256:ddbbdaab269700d35969feaab73b9cbf7c55daa7711aaa01e0f9c598c9b8fbe1", - "sha256:e1d3a0882224dafadb259a0e660650779a7714f3d931a03127af43ef05a4d6e2", - "sha256:eb97640e9e71913015e7073341a5f6b4017fe025222950873c507d4ee97670f9", - "sha256:eca5d01773a8b48bb585fb972c8afcf0cbfb791627a6706ccf56c0685b8ccca7", - "sha256:f375b5e9faea3381c9bb878195cbfc83444a13fb357f8e6c5767d2d9e3745e26" - ], - "index": "pypi", - "version": "==0.10.6" + "sha256:00ae729d928d2218822a1f1f07d1286918456f9d587691a4c1c743b2206dadd6", + "sha256:03f5ab062e2caa092da901266258193963cc38690964e4c75b5ef2b457b86f35", + "sha256:06f9e40959ff7760cd426f7c53ee7645ae8d32192899b43c0a6862eb9daee86c", + "sha256:0e5d00251082fe7e4044aa58b153b7f6250dbbff49b97f3c7f2400f31f456456", + "sha256:14142ba6bbb4cbbc211b2abf42f06b3771bd806836eb101c8a174cf5e175d455", + "sha256:15927b565094bd5d3ec3a89ce4abd6087c3d07bf03dd6d506dd05f2678de963d", + "sha256:16ab9181fce33b8f04af99b08a81af45e606a3acd1e128ac61e927aa876d36f2", + "sha256:1b658e128eca02a7402719712d99b3511dd2e45468048cf17bc68401c706b8db", + "sha256:1df0e91843214196e60d0053ee54019da342a5415e828ae71990e662f387fd2a", + "sha256:275ccbfc0dcc039af3d3f396017c34175f6d49ec62e87837de29c602cbff6585", + "sha256:27c47695fe37f4cecbbe84c56326c6aed1ef876a62838c995cc7f7dd6fc8d408", + "sha256:2e06c95127a3a1accaae70c3e3941d7118d2ae2c69cc5cff2d92cc9f88566780", + "sha256:2e84717cbffc93561a625c6e9460eeea858f2399f44dda6c1aa3d76186efb75d", + "sha256:307dad89a4898f621b457268d67d1a6717acaeffc0041bddcdcab38ecca7cc48", + "sha256:31c492ee77e11677e951c48d727c76fb5caf1e8f8e251329d8fa77c491cb5b13", + "sha256:32118060a9e86533cd108481af23b6d7d8010808775634ae41ece51a0e4d0899", + "sha256:3cc8349311d9ffe225f752e093cebf5d21929f1bfa7281e510248706b6516199", + "sha256:41ce1dd8c4d0e4069c52bf414ddae2bb4a307b6764496905c8985c5d457e1877", + "sha256:42fb6b69de069d0dc66a8606ad486aae19b500b01268cb1e64877ea931bd7ad7", + "sha256:473af40ebae68d522a245b5076164153d4b15eb3d47f31941753a11569441bcc", + "sha256:4a7c9a210681c7c7b70d35f46da52fed4415049c5557625127bf738434270763", + "sha256:4b788969af5bd3bb51eac510cef6ed635d8a194713b46a3c4aa1c7af4b61c008", + "sha256:547c2db0cd7bc59e20bcd794e1d53d9778b7950cee0ce9ada79bc61646fbb28a", + "sha256:5a25bb782bfb1ac1f6d7f5815d1036a3e93bac2b4990edf135a07b4aa8008355", + "sha256:5f3e29f89ae9ce5c60ef09a0a5d3ea41aac6bf54cce0110f4e8dfcc782eb4f90", + "sha256:7432c99134e0e8efb52d583221fd2cdac1f3955fcf07f720e2b72daec9bcf933", + "sha256:76e4397b9f9f94ef08353e12f335e762a7fd39a72970de11f5bc97e178aea9c5", + "sha256:7a4f97e2a1b4aa9cc5e18d18fbc7813c6fae3faa19fcd54323a2fd9e1e2d2c18", + "sha256:7e496a31373416ecbae7468cd8a6462034a622b593834684d3e1f166e1562225", + "sha256:7ee4e9cb183a92524f336399b548d2540f5150ab7ce6a270618709efa9e04c58", + "sha256:84d9c4bccdb3fdba5f2dea33d79a073f01d759ddef37787a29caba45743265ef", + "sha256:883f99668c78a7e388b00048c1a78048ac01725ea07329c2fdc01759b4cae808", + "sha256:88ee0d0ab83481f365ef4e56f9f9e9f70001d90ebd6ed98e368060494481d022", + "sha256:89fca31ca33957dae5df4ecf032c08eb1e897cbc5856cdaad52b67c6ace3f074", + "sha256:8bde908a00291d32eafe02f502d82a62698cc7740933e3744c1cbd3f848a52ed", + "sha256:922c85e2c6a29c09b8fadac3c92e0e38eecaaff48b5c569b82cf006409c4ba4a", + "sha256:9b961bf2ddd998308ee54b85fafaeb02e358a548515362d537dfc57b25c3855b", + "sha256:9f816bf387fbd9fc31a13271d031ddaf8c0c00da416ebced6701cba7856d7ac1", + "sha256:a405bdb885e2bd3f213e39ba3ee6e0cd3d1722beeb54afd60051f6b269228b0f", + "sha256:c13c1eb644c20213d93dc9aee3016530ff1a9b9d7e8cf2a4ead3224b8a06e517", + "sha256:ccfb1232c72d0eb56876b7e9a8e04fc8158102b73160215b0f5f672c1c8c2588", + "sha256:d1bb61e475dc637f7cb4a9175c79c77ee212374ce1225c7b41f643ed22a5451a", + "sha256:d3b7893573060d117917e4f2121e524ed849bbf9f9a63a082001e1a4c5225b46", + "sha256:d7bd3455c93486b2f443f6f177792a358540207334b66dc73681d63972e1f1d9", + "sha256:df99402198764a9621f18e561f82b151ab295044d6a595d5a70d7eabfb8e0c5b", + "sha256:e2ce856489ae76ebc286535a64833d141f7ea43a106ba3485cd7ea9bbd47871c", + "sha256:e5c692fce053ba79b9d4b82b40e092b83a2bd14e04a09871c8e4a68c39932010", + "sha256:eb9951bd3a35ca17253d47f5e7f5bc3609028f29255bdfd79bbcdbb902568b63", + "sha256:f32725d6ba54f371e7a626b9eabac873f6ae6f212e6ee35a6c602a64a5b8e865", + "sha256:fc4021242f00adb150e759692da065bddef5af22afea387cd5a726461946b93b" + ], + "index": "pypi", + "markers": "python_version >= '3.7'", + "version": "==0.10.8" }, "importlib-metadata": { "hashes": [ - "sha256:8a8a81bcf996e74fee46f0d16bd3eaa382a7eb20fd82445c3ad11f4090334116", - "sha256:dd0173e8f150d6815e098fd354f6414b0f079af4644ddfe90c71e2fc6174346d" + "sha256:3ebb78df84a805d7698245025b975d9d67053cd94c79245ba4b3eb694abe68bb", + "sha256:dbace7892d8c0c4ac1ad096662232f831d4e64f4c4545bd53016a3e9d4654743" ], "index": "pypi", - "version": "==4.13.0" + "markers": "python_version >= '3.8'", + "version": "==6.8.0" }, "importlib-resources": { "hashes": [ - "sha256:4be82589bf5c1d7999aedf2a45159d10cb3ca4f19b2271f8792bc8e6da7b22f6", - "sha256:7b1deeebbf351c7578e09bf2f63fa2ce8b5ffec296e0d349139d43cca061a81a" + "sha256:9d48dcccc213325e810fd723e7fbb45ccb39f6cf5c31f00cf2b965f5f10f3cb9", + "sha256:aa50258bbfa56d4e33fbd8aa3ef48ded10d1735f11532b8df95388cc6bdb7e83" ], "markers": "python_version < '3.9'", - "version": "==5.12.0" + "version": "==6.1.0" }, "isodate": { "hashes": [ @@ -694,15 +689,25 @@ "sha256:90261b206d6defd58fdd5e85f478bf633a2901798906be2ad389150c5c60edbe" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==1.0.1" }, "jsonschema": { "hashes": [ - "sha256:0f864437ab8b6076ba6707453ef8f98a6a0d512a80e93f8abdb676f737ecb60d", - "sha256:a870ad254da1a8ca84b6a2905cac29d265f805acc57af304784962a2aa6508f6" + "sha256:cd5f1f9ed9444e554b38ba003af06c0a8c2868131e56bfbef0550fb450c0330e", + "sha256:ec84cc37cfa703ef7cd4928db24f9cb31428a5d0fa77747b8b51a847458e0bbf" ], "index": "pypi", - "version": "==4.17.3" + "markers": "python_version >= '3.8'", + "version": "==4.19.1" + }, + "jsonschema-specifications": { + "hashes": [ + "sha256:05adf340b659828a004220a9613be00fa3f223f2b82002e273dee62fd50524b1", + "sha256:c91a50404e88a1f6ba40636778e2ee08f6e24c5613fe4c53ac24578a5a7f72bb" + ], + "markers": "python_version >= '3.8'", + "version": "==2023.7.1" }, "junit-xml": { "hashes": [ @@ -726,6 +731,7 @@ "sha256:8d7e5e2de0d04fc104a4f952c440e8f08a5ba63480a0dad015b294770b7e58ec" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==30.1.1" }, "markdown": { @@ -742,8 +748,11 @@ "sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e", "sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431", "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686", + "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c", "sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559", "sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc", + "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb", + "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939", "sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c", "sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0", "sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4", @@ -751,6 +760,7 @@ "sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575", "sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba", "sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d", + "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd", "sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3", "sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00", "sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155", @@ -759,6 +769,7 @@ "sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f", "sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8", "sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b", + "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007", "sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24", "sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea", "sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198", @@ -766,9 +777,12 @@ "sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee", "sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be", "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2", + "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1", "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707", "sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6", + "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c", "sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58", + "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823", "sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779", "sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636", "sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c", @@ -787,7 +801,9 @@ "sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9", "sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57", "sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc", - "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2" + "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc", + "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2", + "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11" ], "markers": "python_version >= '3.7'", "version": "==2.1.3" @@ -878,15 +894,51 @@ "sha256:c0946ed31d71f1b732b5aaa6da5a0388a345019af232ce2f49c766e2d6795c51" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==2.6.3" }, + "numpy": { + "hashes": [ + "sha256:04640dab83f7c6c85abf9cd729c5b65f1ebd0ccf9de90b270cd61935eef0197f", + "sha256:1452241c290f3e2a312c137a9999cdbf63f78864d63c79039bda65ee86943f61", + "sha256:222e40d0e2548690405b0b3c7b21d1169117391c2e82c378467ef9ab4c8f0da7", + "sha256:2541312fbf09977f3b3ad449c4e5f4bb55d0dbf79226d7724211acc905049400", + "sha256:31f13e25b4e304632a4619d0e0777662c2ffea99fcae2029556b17d8ff958aef", + "sha256:4602244f345453db537be5314d3983dbf5834a9701b7723ec28923e2889e0bb2", + "sha256:4979217d7de511a8d57f4b4b5b2b965f707768440c17cb70fbf254c4b225238d", + "sha256:4c21decb6ea94057331e111a5bed9a79d335658c27ce2adb580fb4d54f2ad9bc", + "sha256:6620c0acd41dbcb368610bb2f4d83145674040025e5536954782467100aa8835", + "sha256:692f2e0f55794943c5bfff12b3f56f99af76f902fc47487bdfe97856de51a706", + "sha256:7215847ce88a85ce39baf9e89070cb860c98fdddacbaa6c0da3ffb31b3350bd5", + "sha256:79fc682a374c4a8ed08b331bef9c5f582585d1048fa6d80bc6c35bc384eee9b4", + "sha256:7ffe43c74893dbf38c2b0a1f5428760a1a9c98285553c89e12d70a96a7f3a4d6", + "sha256:80f5e3a4e498641401868df4208b74581206afbee7cf7b8329daae82676d9463", + "sha256:95f7ac6540e95bc440ad77f56e520da5bf877f87dca58bd095288dce8940532a", + "sha256:9667575fb6d13c95f1b36aca12c5ee3356bf001b714fc354eb5465ce1609e62f", + "sha256:a5425b114831d1e77e4b5d812b69d11d962e104095a5b9c3b641a218abcc050e", + "sha256:b4bea75e47d9586d31e892a7401f76e909712a0fd510f58f5337bea9572c571e", + "sha256:b7b1fc9864d7d39e28f41d089bfd6353cb5f27ecd9905348c24187a768c79694", + "sha256:befe2bf740fd8373cf56149a5c23a0f601e82869598d41f8e188a0e9869926f8", + "sha256:c0bfb52d2169d58c1cdb8cc1f16989101639b34c7d3ce60ed70b19c63eba0b64", + "sha256:d11efb4dbecbdf22508d55e48d9c8384db795e1b7b51ea735289ff96613ff74d", + "sha256:dd80e219fd4c71fc3699fc1dadac5dcf4fd882bfc6f7ec53d30fa197b8ee22dc", + "sha256:e2926dac25b313635e4d6cf4dc4e51c8c0ebfed60b801c799ffc4c32bf3d1254", + "sha256:e98f220aa76ca2a977fe435f5b04d7b3470c0a2e6312907b37ba6068f26787f2", + "sha256:ed094d4f0c177b1b8e7aa9cba7d6ceed51c0e569a5318ac0ca9a090680a6a1b1", + "sha256:f136bab9c2cfd8da131132c2cf6cc27331dd6fae65f95f69dcd4ae3c3639c810", + "sha256:f3a86ed21e4f87050382c7bc96571755193c4c1392490744ac73d660e8f564a9" + ], + "markers": "python_version >= '3.8'", + "version": "==1.24.4" + }, "openai": { "hashes": [ - "sha256:417b78c4c2864ba696aedaf1ccff77be1f04a581ab1739f0a56e0aae19e5a794", - "sha256:d207ece78469be5648eb87b825753282225155a29d0eec6e02013ddbf8c31c0c" + "sha256:4be1dad329a65b4ce1a660fe6d5431b438f429b5855c883435f0f7fcb6d2dcc8", + "sha256:d18690f9e3d31eedb66b57b88c2165d760b24ea0a01f150dd3f068155088ce68" ], "index": "pypi", - "version": "==0.28.0" + "markers": "python_full_version >= '3.7.1'", + "version": "==0.28.1" }, "packageurl-python": { "hashes": [ @@ -894,6 +946,7 @@ "sha256:799acfe8d9e6e3534bbc19660be97d5b66754bc033e62c39f1e2f16323fcfa84" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==0.11.2" }, "packaging": { @@ -902,6 +955,7 @@ "sha256:a392980d2b6cffa644431898be54b0045151319d1e7ec34f0cfed48767dd334f" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==23.1" }, "pkgutil-resolve-name": { @@ -921,11 +975,11 @@ }, "policy-sentry": { "hashes": [ - "sha256:9c59a0c8d34b456202c96342ee38cc34f87176219e6b8aa212d385122b526867", - "sha256:f54b9286fb7095a45890f315738558ff5648b934a26e6fb227b30ff9aab2bbda" + "sha256:5a09f845c9c7b8afe0e14778d3b53039bcf63e1c1a42b276eb198756dbcb9ad6", + "sha256:b8cf00a11a2a335d2bceba5dc1998182288a4b7848916a77923a6a2e0bc84373" ], "markers": "python_version >= '3.6'", - "version": "==0.12.9" + "version": "==0.12.10" }, "policyuniverse": { "hashes": [ @@ -933,15 +987,17 @@ "sha256:7920896195af163230635f1a5cee0958f56003ef8c421f805ec81f134f80a57c" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==1.5.1.20230817" }, "prettytable": { "hashes": [ - "sha256:ef8334ee40b7ec721651fc4d37ecc7bb2ef55fde5098d994438f0dfdaa385c0c", - "sha256:f4aaf2ed6e6062a82fd2e6e5289bbbe705ec2788fe401a3a1f62a1cea55526d2" + "sha256:a71292ab7769a5de274b146b276ce938786f56c31cf7cea88b6f3775d82fe8c8", + "sha256:f4ed94803c23073a90620b201965e5dc0bccf1760b7a7eaf3158cab8aaffdf34" ], "index": "pypi", - "version": "==3.7.0" + "markers": "python_version >= '3.8'", + "version": "==3.9.0" }, "pycares": { "hashes": [ @@ -1006,6 +1062,7 @@ "sha256:a3edd1c3d280c283d614c865a854a693daf56c35cd4095b373016c214baa76dd" ], "index": "pypi", + "markers": "python_version >= '3.7' and python_version < '4.0'", "version": "==0.4.1" }, "pycparser": { @@ -1023,39 +1080,6 @@ "markers": "python_full_version >= '3.6.8'", "version": "==3.1.1" }, - "pyrsistent": { - "hashes": [ - "sha256:016ad1afadf318eb7911baa24b049909f7f3bb2c5b1ed7b6a8f21db21ea3faa8", - "sha256:1a2994773706bbb4995c31a97bc94f1418314923bd1048c6d964837040376440", - "sha256:20460ac0ea439a3e79caa1dbd560344b64ed75e85d8703943e0b66c2a6150e4a", - "sha256:3311cb4237a341aa52ab8448c27e3a9931e2ee09561ad150ba94e4cfd3fc888c", - "sha256:3a8cb235fa6d3fd7aae6a4f1429bbb1fec1577d978098da1252f0489937786f3", - "sha256:3ab2204234c0ecd8b9368dbd6a53e83c3d4f3cab10ecaf6d0e772f456c442393", - "sha256:42ac0b2f44607eb92ae88609eda931a4f0dfa03038c44c772e07f43e738bcac9", - "sha256:49c32f216c17148695ca0e02a5c521e28a4ee6c5089f97e34fe24163113722da", - "sha256:4b774f9288dda8d425adb6544e5903f1fb6c273ab3128a355c6b972b7df39dcf", - "sha256:4c18264cb84b5e68e7085a43723f9e4c1fd1d935ab240ce02c0324a8e01ccb64", - "sha256:5a474fb80f5e0d6c9394d8db0fc19e90fa540b82ee52dba7d246a7791712f74a", - "sha256:64220c429e42a7150f4bfd280f6f4bb2850f95956bde93c6fda1b70507af6ef3", - "sha256:878433581fc23e906d947a6814336eee031a00e6defba224234169ae3d3d6a98", - "sha256:99abb85579e2165bd8522f0c0138864da97847875ecbd45f3e7e2af569bfc6f2", - "sha256:a2471f3f8693101975b1ff85ffd19bb7ca7dd7c38f8a81701f67d6b4f97b87d8", - "sha256:aeda827381f5e5d65cced3024126529ddc4289d944f75e090572c77ceb19adbf", - "sha256:b735e538f74ec31378f5a1e3886a26d2ca6351106b4dfde376a26fc32a044edc", - "sha256:c147257a92374fde8498491f53ffa8f4822cd70c0d85037e09028e478cababb7", - "sha256:c4db1bd596fefd66b296a3d5d943c94f4fac5bcd13e99bffe2ba6a759d959a28", - "sha256:c74bed51f9b41c48366a286395c67f4e894374306b197e62810e0fdaf2364da2", - "sha256:c9bb60a40a0ab9aba40a59f68214eed5a29c6274c83b2cc206a359c4a89fa41b", - "sha256:cc5d149f31706762c1f8bda2e8c4f8fead6e80312e3692619a75301d3dbb819a", - "sha256:ccf0d6bd208f8111179f0c26fdf84ed7c3891982f2edaeae7422575f47e66b64", - "sha256:e42296a09e83028b3476f7073fcb69ffebac0e66dbbfd1bd847d61f74db30f19", - "sha256:e8f2b814a3dc6225964fa03d8582c6e0b6650d68a232df41e3cc1b66a5d2f8d1", - "sha256:f0774bf48631f3a20471dd7c5989657b639fd2d285b861237ea9e82c36a415a9", - "sha256:f0e7c4b2f77593871e918be000b96c8107da48444d57005b6a6bc61fb4331b2c" - ], - "markers": "python_version >= '3.7'", - "version": "==0.19.3" - }, "pyston": { "hashes": [ "sha256:30caaee3b58d92817efa2cd4f32c24289dd5f4ddf9b5b4ec5b62ed564230ca8a", @@ -1162,109 +1186,118 @@ "sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==6.0.1" }, "rdflib": { "hashes": [ - "sha256:36b4e74a32aa1e4fa7b8719876fb192f19ecd45ff932ea5ebbd2e417a0247e63", - "sha256:72af591ff704f4caacea7ecc0c5a9056b8553e0489dd4f35a9bc52dbd41522e0" + "sha256:0438920912a642c866a513de6fe8a0001bd86ef975057d6962c79ce4771687cd", + "sha256:9995eb8569428059b8c1affd26b25eac510d64f5043d9ce8c84e0d0036e995ae" ], - "markers": "python_version >= '3.7' and python_version < '4.0'", - "version": "==6.3.2" + "markers": "python_full_version >= '3.8.1' and python_full_version < '4.0.0'", + "version": "==7.0.0" + }, + "referencing": { + "hashes": [ + "sha256:449b6669b6121a9e96a7f9e410b245d471e8d48964c67113ce9afe50c8dd7bdf", + "sha256:794ad8003c65938edcdbc027f1933215e0d0ccc0291e3ce20a4d87432b59efc0" + ], + "markers": "python_version >= '3.8'", + "version": "==0.30.2" }, "regex": { "hashes": [ - "sha256:0085da0f6c6393428bf0d9c08d8b1874d805bb55e17cb1dfa5ddb7cfb11140bf", - "sha256:06c57e14ac723b04458df5956cfb7e2d9caa6e9d353c0b4c7d5d54fcb1325c46", - "sha256:09b7f4c66aa9d1522b06e31a54f15581c37286237208df1345108fcf4e050c18", - "sha256:0c59122ceccb905a941fb23b087b8eafc5290bf983ebcb14d2301febcbe199c7", - "sha256:1005c60ed7037be0d9dea1f9c53cc42f836188227366370867222bda4c3c6bd7", - "sha256:14898830f0a0eb67cae2bbbc787c1a7d6e34ecc06fbd39d3af5fe29a4468e2c9", - "sha256:14dc6f2d88192a67d708341f3085df6a4f5a0c7b03dec08d763ca2cd86e9f559", - "sha256:1e7d84d64c84ad97bf06f3c8cb5e48941f135ace28f450d86af6b6512f1c9a71", - "sha256:2162ae2eb8b079622176a81b65d486ba50b888271302190870b8cc488587d280", - "sha256:22283c769a7b01c8ac355d5be0715bf6929b6267619505e289f792b01304d898", - "sha256:239c3c2a339d3b3ddd51c2daef10874410917cd2b998f043c13e2084cb191684", - "sha256:293352710172239bf579c90a9864d0df57340b6fd21272345222fb6371bf82b3", - "sha256:2ae54a338191e1356253e7883d9d19f8679b6143703086245fb14d1f20196be9", - "sha256:2e73e5243af12d9cd6a9d6a45a43570dbe2e5b1cdfc862f5ae2b031e44dd95a8", - "sha256:2e9216e0d2cdce7dbc9be48cb3eacb962740a09b011a116fd7af8c832ab116ca", - "sha256:3026cbcf11d79095a32d9a13bbc572a458727bd5b1ca332df4a79faecd45281c", - "sha256:3611576aff55918af2697410ff0293d6071b7e00f4b09e005d614686ac4cd57c", - "sha256:3ae646c35cb9f820491760ac62c25b6d6b496757fda2d51be429e0e7b67ae0ab", - "sha256:3b8e6ea6be6d64104d8e9afc34c151926f8182f84e7ac290a93925c0db004bfd", - "sha256:3d370ff652323c5307d9c8e4c62efd1956fb08051b0e9210212bc51168b4ff56", - "sha256:3f7454aa427b8ab9101f3787eb178057c5250478e39b99540cfc2b889c7d0586", - "sha256:40f029d73b10fac448c73d6eb33d57b34607f40116e9f6e9f0d32e9229b147d7", - "sha256:423adfa872b4908843ac3e7a30f957f5d5282944b81ca0a3b8a7ccbbfaa06103", - "sha256:4873ef92e03a4309b3ccd8281454801b291b689f6ad45ef8c3658b6fa761d7ac", - "sha256:48c640b99213643d141550326f34f0502fedb1798adb3c9eb79650b1ecb2f177", - "sha256:4ae594c66f4a7e1ea67232a0846649a7c94c188d6c071ac0210c3e86a5f92109", - "sha256:4b694430b3f00eb02c594ff5a16db30e054c1b9589a043fe9174584c6efa8033", - "sha256:51d8ea2a3a1a8fe4f67de21b8b93757005213e8ac3917567872f2865185fa7fb", - "sha256:54de2619f5ea58474f2ac211ceea6b615af2d7e4306220d4f3fe690c91988a61", - "sha256:551ad543fa19e94943c5b2cebc54c73353ffff08228ee5f3376bd27b3d5b9800", - "sha256:5543c055d8ec7801901e1193a51570643d6a6ab8751b1f7dd9af71af467538bb", - "sha256:5cd9cd7170459b9223c5e592ac036e0704bee765706445c353d96f2890e816c8", - "sha256:5ec4b3f0aebbbe2fc0134ee30a791af522a92ad9f164858805a77442d7d18570", - "sha256:67ecd894e56a0c6108ec5ab1d8fa8418ec0cff45844a855966b875d1039a2e34", - "sha256:6ab2ed84bf0137927846b37e882745a827458689eb969028af8032b1b3dac78e", - "sha256:704f63b774218207b8ccc6c47fcef5340741e5d839d11d606f70af93ee78e4d4", - "sha256:7098c524ba9f20717a56a8d551d2ed491ea89cbf37e540759ed3b776a4f8d6eb", - "sha256:7aed90a72fc3654fba9bc4b7f851571dcc368120432ad68b226bd593f3f6c0b7", - "sha256:7ce606c14bb195b0e5108544b540e2c5faed6843367e4ab3deb5c6aa5e681208", - "sha256:7eb95fe8222932c10d4436e7a6f7c99991e3fdd9f36c949eff16a69246dee2dc", - "sha256:80b80b889cb767cc47f31d2b2f3dec2db8126fbcd0cff31b3925b4dc6609dcdb", - "sha256:82cd0a69cd28f6cc3789cc6adeb1027f79526b1ab50b1f6062bbc3a0ccb2dbc3", - "sha256:83215147121e15d5f3a45d99abeed9cf1fe16869d5c233b08c56cdf75f43a504", - "sha256:88900f521c645f784260a8d346e12a1590f79e96403971241e64c3a265c8ecdb", - "sha256:91129ff1bb0619bc1f4ad19485718cc623a2dc433dff95baadbf89405c7f6b57", - "sha256:920974009fb37b20d32afcdf0227a2e707eb83fe418713f7a8b7de038b870d0b", - "sha256:9233ac249b354c54146e392e8a451e465dd2d967fc773690811d3a8c240ac601", - "sha256:941460db8fe3bd613db52f05259c9336f5a47ccae7d7def44cc277184030a116", - "sha256:942f8b1f3b223638b02df7df79140646c03938d488fbfb771824f3d05fc083a8", - "sha256:964b16dcc10c79a4a2be9f1273fcc2684a9eedb3906439720598029a797b46e6", - "sha256:9691a549c19c22d26a4f3b948071e93517bdf86e41b81d8c6ac8a964bb71e5a6", - "sha256:96979d753b1dc3b2169003e1854dc67bfc86edf93c01e84757927f810b8c3c93", - "sha256:987b9ac04d0b38ef4f89fbc035e84a7efad9cdd5f1e29024f9289182c8d99e09", - "sha256:988631b9d78b546e284478c2ec15c8a85960e262e247b35ca5eaf7ee22f6050a", - "sha256:9a96edd79661e93327cfeac4edec72a4046e14550a1d22aa0dd2e3ca52aec921", - "sha256:9b7408511fca48a82a119d78a77c2f5eb1b22fe88b0d2450ed0756d194fe7a9a", - "sha256:9dd6082f4e2aec9b6a0927202c85bc1b09dcab113f97265127c1dc20e2e32495", - "sha256:a2ad5add903eb7cdde2b7c64aaca405f3957ab34f16594d2b78d53b8b1a6a7d6", - "sha256:a8c65c17aed7e15a0c824cdc63a6b104dfc530f6fa8cb6ac51c437af52b481c7", - "sha256:aadf28046e77a72f30dcc1ab185639e8de7f4104b8cb5c6dfa5d8ed860e57236", - "sha256:b076da1ed19dc37788f6a934c60adf97bd02c7eea461b73730513921a85d4235", - "sha256:b2aeab3895d778155054abea5238d0eb9a72e9242bd4b43f42fd911ef9a13470", - "sha256:b82edc98d107cbc7357da7a5a695901b47d6eb0420e587256ba3ad24b80b7d0b", - "sha256:b8a0ccc8f2698f120e9e5742f4b38dc944c38744d4bdfc427616f3a163dd9de5", - "sha256:b993b6f524d1e274a5062488a43e3f9f8764ee9745ccd8e8193df743dbe5ee61", - "sha256:bb34d1605f96a245fc39790a117ac1bac8de84ab7691637b26ab2c5efb8f228c", - "sha256:bd3366aceedf274f765a3a4bc95d6cd97b130d1dda524d8f25225d14123c01db", - "sha256:c12f6f67495ea05c3d542d119d270007090bad5b843f642d418eb601ec0fa7be", - "sha256:c662a4cbdd6280ee56f841f14620787215a171c4e2d1744c9528bed8f5816c96", - "sha256:c884d1a59e69e03b93cf0dfee8794c63d7de0ee8f7ffb76e5f75be8131b6400a", - "sha256:ca339088839582d01654e6f83a637a4b8194d0960477b9769d2ff2cfa0fa36d2", - "sha256:cd2b6c5dfe0929b6c23dde9624483380b170b6e34ed79054ad131b20203a1a63", - "sha256:ce0f9fbe7d295f9922c0424a3637b88c6c472b75eafeaff6f910494a1fa719ef", - "sha256:cf0633e4a1b667bfe0bb10b5e53fe0d5f34a6243ea2530eb342491f1adf4f739", - "sha256:cf9273e96f3ee2ac89ffcb17627a78f78e7516b08f94dc435844ae72576a276e", - "sha256:d909b5a3fff619dc7e48b6b1bedc2f30ec43033ba7af32f936c10839e81b9217", - "sha256:d9b6627408021452dcd0d2cdf8da0534e19d93d070bfa8b6b4176f99711e7f90", - "sha256:de35342190deb7b866ad6ba5cbcccb2d22c0487ee0cbb251efef0843d705f0d4", - "sha256:e51c80c168074faa793685656c38eb7a06cbad7774c8cbc3ea05552d615393d8", - "sha256:e6bd1e9b95bc5614a7a9c9c44fde9539cba1c823b43a9f7bc11266446dd568e3", - "sha256:e7a9aaa5a1267125eef22cef3b63484c3241aaec6f48949b366d26c7250e0357", - "sha256:e951d1a8e9963ea51efd7f150450803e3b95db5939f994ad3d5edac2b6f6e2b4", - "sha256:e9941a4ada58f6218694f382e43fdd256e97615db9da135e77359da257a7168b", - "sha256:f0640913d2c1044d97e30d7c41728195fc37e54d190c5385eacb52115127b882", - "sha256:f0ccf3e01afeb412a1a9993049cb160d0352dba635bbca7762b2dc722aa5742a", - "sha256:f2181c20ef18747d5f4a7ea513e09ea03bdd50884a11ce46066bb90fe4213675", - "sha256:f2200e00b62568cfd920127782c61bc1c546062a879cdc741cfcc6976668dfcf", - "sha256:fcbdc5f2b0f1cd0f6a56cdb46fe41d2cce1e644e3b68832f3eeebc5fb0f7712e" + "sha256:00ba3c9818e33f1fa974693fb55d24cdc8ebafcb2e4207680669d8f8d7cca79a", + "sha256:00e871d83a45eee2f8688d7e6849609c2ca2a04a6d48fba3dff4deef35d14f07", + "sha256:06e9abc0e4c9ab4779c74ad99c3fc10d3967d03114449acc2c2762ad4472b8ca", + "sha256:0b9ac09853b2a3e0d0082104036579809679e7715671cfbf89d83c1cb2a30f58", + "sha256:0d47840dc05e0ba04fe2e26f15126de7c755496d5a8aae4a08bda4dd8d646c54", + "sha256:0f649fa32fe734c4abdfd4edbb8381c74abf5f34bc0b3271ce687b23729299ed", + "sha256:107ac60d1bfdc3edb53be75e2a52aff7481b92817cfdddd9b4519ccf0e54a6ff", + "sha256:11175910f62b2b8c055f2b089e0fedd694fe2be3941b3e2633653bc51064c528", + "sha256:12bd4bc2c632742c7ce20db48e0d99afdc05e03f0b4c1af90542e05b809a03d9", + "sha256:16f8740eb6dbacc7113e3097b0a36065a02e37b47c936b551805d40340fb9971", + "sha256:1c0e8fae5b27caa34177bdfa5a960c46ff2f78ee2d45c6db15ae3f64ecadde14", + "sha256:2c54e23836650bdf2c18222c87f6f840d4943944146ca479858404fedeb9f9af", + "sha256:3367007ad1951fde612bf65b0dffc8fd681a4ab98ac86957d16491400d661302", + "sha256:36362386b813fa6c9146da6149a001b7bd063dabc4d49522a1f7aa65b725c7ec", + "sha256:39807cbcbe406efca2a233884e169d056c35aa7e9f343d4e78665246a332f597", + "sha256:39cdf8d141d6d44e8d5a12a8569d5a227f645c87df4f92179bd06e2e2705e76b", + "sha256:3b2c3502603fab52d7619b882c25a6850b766ebd1b18de3df23b2f939360e1bd", + "sha256:3ccf2716add72f80714b9a63899b67fa711b654be3fcdd34fa391d2d274ce767", + "sha256:3fef4f844d2290ee0ba57addcec17eec9e3df73f10a2748485dfd6a3a188cc0f", + "sha256:4023e2efc35a30e66e938de5aef42b520c20e7eda7bb5fb12c35e5d09a4c43f6", + "sha256:4a3ee019a9befe84fa3e917a2dd378807e423d013377a884c1970a3c2792d293", + "sha256:4a8bf76e3182797c6b1afa5b822d1d5802ff30284abe4599e1247be4fd6b03be", + "sha256:4a992f702c9be9c72fa46f01ca6e18d131906a7180950958f766c2aa294d4b41", + "sha256:4c34d4f73ea738223a094d8e0ffd6d2c1a1b4c175da34d6b0de3d8d69bee6bcc", + "sha256:4cd1bccf99d3ef1ab6ba835308ad85be040e6a11b0977ef7ea8c8005f01a3c29", + "sha256:4ef80829117a8061f974b2fda8ec799717242353bff55f8a29411794d635d964", + "sha256:58837f9d221744d4c92d2cf7201c6acd19623b50c643b56992cbd2b745485d3d", + "sha256:5a8f91c64f390ecee09ff793319f30a0f32492e99f5dc1c72bc361f23ccd0a9a", + "sha256:5addc9d0209a9afca5fc070f93b726bf7003bd63a427f65ef797a931782e7edc", + "sha256:6239d4e2e0b52c8bd38c51b760cd870069f0bdf99700a62cd509d7a031749a55", + "sha256:66e2fe786ef28da2b28e222c89502b2af984858091675044d93cb50e6f46d7af", + "sha256:69c0771ca5653c7d4b65203cbfc5e66db9375f1078689459fe196fe08b7b4930", + "sha256:6ac965a998e1388e6ff2e9781f499ad1eaa41e962a40d11c7823c9952c77123e", + "sha256:6c56c3d47da04f921b73ff9415fbaa939f684d47293f071aa9cbb13c94afc17d", + "sha256:6f85739e80d13644b981a88f529d79c5bdf646b460ba190bffcaf6d57b2a9863", + "sha256:706e7b739fdd17cb89e1fbf712d9dc21311fc2333f6d435eac2d4ee81985098c", + "sha256:741ba2f511cc9626b7561a440f87d658aabb3d6b744a86a3c025f866b4d19e7f", + "sha256:7434a61b158be563c1362d9071358f8ab91b8d928728cd2882af060481244c9e", + "sha256:76066d7ff61ba6bf3cb5efe2428fc82aac91802844c022d849a1f0f53820502d", + "sha256:7979b834ec7a33aafae34a90aad9f914c41fd6eaa8474e66953f3f6f7cbd4368", + "sha256:7eece6fbd3eae4a92d7c748ae825cbc1ee41a89bb1c3db05b5578ed3cfcfd7cb", + "sha256:7ef1e014eed78ab650bef9a6a9cbe50b052c0aebe553fb2881e0453717573f52", + "sha256:81dce2ddc9f6e8f543d94b05d56e70d03a0774d32f6cca53e978dc01e4fc75b8", + "sha256:82fcc1f1cc3ff1ab8a57ba619b149b907072e750815c5ba63e7aa2e1163384a4", + "sha256:8d1f21af4c1539051049796a0f50aa342f9a27cde57318f2fc41ed50b0dbc4ac", + "sha256:90a79bce019c442604662d17bf69df99090e24cdc6ad95b18b6725c2988a490e", + "sha256:9145f092b5d1977ec8c0ab46e7b3381b2fd069957b9862a43bd383e5c01d18c2", + "sha256:91dc1d531f80c862441d7b66c4505cd6ea9d312f01fb2f4654f40c6fdf5cc37a", + "sha256:979c24cbefaf2420c4e377ecd1f165ea08cc3d1fbb44bdc51bccbbf7c66a2cb4", + "sha256:994645a46c6a740ee8ce8df7911d4aee458d9b1bc5639bc968226763d07f00fa", + "sha256:9b98b7681a9437262947f41c7fac567c7e1f6eddd94b0483596d320092004533", + "sha256:9c6b4d23c04831e3ab61717a707a5d763b300213db49ca680edf8bf13ab5d91b", + "sha256:9c6d0ced3c06d0f183b73d3c5920727268d2201aa0fe6d55c60d68c792ff3588", + "sha256:9fd88f373cb71e6b59b7fa597e47e518282455c2734fd4306a05ca219a1991b0", + "sha256:a8f4e49fc3ce020f65411432183e6775f24e02dff617281094ba6ab079ef0915", + "sha256:a9e908ef5889cda4de038892b9accc36d33d72fb3e12c747e2799a0e806ec841", + "sha256:ad08a69728ff3c79866d729b095872afe1e0557251da4abb2c5faff15a91d19a", + "sha256:adbccd17dcaff65704c856bd29951c58a1bd4b2b0f8ad6b826dbd543fe740988", + "sha256:b0c7d2f698e83f15228ba41c135501cfe7d5740181d5903e250e47f617eb4292", + "sha256:b3ab05a182c7937fb374f7e946f04fb23a0c0699c0450e9fb02ef567412d2fa3", + "sha256:b6104f9a46bd8743e4f738afef69b153c4b8b592d35ae46db07fc28ae3d5fb7c", + "sha256:ba7cd6dc4d585ea544c1412019921570ebd8a597fabf475acc4528210d7c4a6f", + "sha256:bc72c231f5449d86d6c7d9cc7cd819b6eb30134bb770b8cfdc0765e48ef9c420", + "sha256:bce8814b076f0ce5766dc87d5a056b0e9437b8e0cd351b9a6c4e1134a7dfbda9", + "sha256:be5e22bbb67924dea15039c3282fa4cc6cdfbe0cbbd1c0515f9223186fc2ec5f", + "sha256:be6b7b8d42d3090b6c80793524fa66c57ad7ee3fe9722b258aec6d0672543fd0", + "sha256:bfe50b61bab1b1ec260fa7cd91106fa9fece57e6beba05630afe27c71259c59b", + "sha256:bff507ae210371d4b1fe316d03433ac099f184d570a1a611e541923f78f05037", + "sha256:c148bec483cc4b421562b4bcedb8e28a3b84fcc8f0aa4418e10898f3c2c0eb9b", + "sha256:c15ad0aee158a15e17e0495e1e18741573d04eb6da06d8b84af726cfc1ed02ee", + "sha256:c2169b2dcabf4e608416f7f9468737583ce5f0a6e8677c4efbf795ce81109d7c", + "sha256:c55853684fe08d4897c37dfc5faeff70607a5f1806c8be148f1695be4a63414b", + "sha256:c65a3b5330b54103e7d21cac3f6bf3900d46f6d50138d73343d9e5b2900b2353", + "sha256:c7964c2183c3e6cce3f497e3a9f49d182e969f2dc3aeeadfa18945ff7bdd7051", + "sha256:cc3f1c053b73f20c7ad88b0d1d23be7e7b3901229ce89f5000a8399746a6e039", + "sha256:ce615c92d90df8373d9e13acddd154152645c0dc060871abf6bd43809673d20a", + "sha256:d29338556a59423d9ff7b6eb0cb89ead2b0875e08fe522f3e068b955c3e7b59b", + "sha256:d8a993c0a0ffd5f2d3bda23d0cd75e7086736f8f8268de8a82fbc4bd0ac6791e", + "sha256:d9c727bbcf0065cbb20f39d2b4f932f8fa1631c3e01fcedc979bd4f51fe051c5", + "sha256:dac37cf08fcf2094159922edc7a2784cfcc5c70f8354469f79ed085f0328ebdf", + "sha256:dd829712de97753367153ed84f2de752b86cd1f7a88b55a3a775eb52eafe8a94", + "sha256:e54ddd0bb8fb626aa1f9ba7b36629564544954fff9669b15da3610c22b9a0991", + "sha256:e77c90ab5997e85901da85131fd36acd0ed2221368199b65f0d11bca44549711", + "sha256:ebedc192abbc7fd13c5ee800e83a6df252bec691eb2c4bedc9f8b2e2903f5e2a", + "sha256:ef71561f82a89af6cfcbee47f0fabfdb6e63788a9258e913955d89fdd96902ab", + "sha256:f0a47efb1dbef13af9c9a54a94a0b814902e547b7f21acb29434504d18f36e3a", + "sha256:f4f2ca6df64cbdd27f27b34f35adb640b5d2d77264228554e68deda54456eb11", + "sha256:fb02e4257376ae25c6dd95a5aec377f9b18c09be6ebdefa7ad209b9137b73d48" ], - "markers": "python_version >= '3.6'", - "version": "==2023.8.8" + "markers": "python_version >= '3.7'", + "version": "==2023.10.3" }, "requests": { "hashes": [ @@ -1272,15 +1305,167 @@ "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==2.31.0" }, + "rpds-py": { + "hashes": [ + "sha256:015de2ce2af1586ff5dc873e804434185199a15f7d96920ce67e50604592cae9", + "sha256:061c3ff1f51ecec256e916cf71cc01f9975af8fb3af9b94d3c0cc8702cfea637", + "sha256:08a80cf4884920863623a9ee9a285ee04cef57ebedc1cc87b3e3e0f24c8acfe5", + "sha256:09362f86ec201288d5687d1dc476b07bf39c08478cde837cb710b302864e7ec9", + "sha256:0bb4f48bd0dd18eebe826395e6a48b7331291078a879295bae4e5d053be50d4c", + "sha256:106af1653007cc569d5fbb5f08c6648a49fe4de74c2df814e234e282ebc06957", + "sha256:11fdd1192240dda8d6c5d18a06146e9045cb7e3ba7c06de6973000ff035df7c6", + "sha256:16a472300bc6c83fe4c2072cc22b3972f90d718d56f241adabc7ae509f53f154", + "sha256:176287bb998fd1e9846a9b666e240e58f8d3373e3bf87e7642f15af5405187b8", + "sha256:177914f81f66c86c012311f8c7f46887ec375cfcfd2a2f28233a3053ac93a569", + "sha256:177c9dd834cdf4dc39c27436ade6fdf9fe81484758885f2d616d5d03c0a83bd2", + "sha256:187700668c018a7e76e89424b7c1042f317c8df9161f00c0c903c82b0a8cac5c", + "sha256:1d9b5ee46dcb498fa3e46d4dfabcb531e1f2e76b477e0d99ef114f17bbd38453", + "sha256:22da15b902f9f8e267020d1c8bcfc4831ca646fecb60254f7bc71763569f56b1", + "sha256:24cd91a03543a0f8d09cb18d1cb27df80a84b5553d2bd94cba5979ef6af5c6e7", + "sha256:255f1a10ae39b52122cce26ce0781f7a616f502feecce9e616976f6a87992d6b", + "sha256:271c360fdc464fe6a75f13ea0c08ddf71a321f4c55fc20a3fe62ea3ef09df7d9", + "sha256:2ed83d53a8c5902ec48b90b2ac045e28e1698c0bea9441af9409fc844dc79496", + "sha256:2f3e1867dd574014253b4b8f01ba443b9c914e61d45f3674e452a915d6e929a3", + "sha256:35fbd23c1c8732cde7a94abe7fb071ec173c2f58c0bd0d7e5b669fdfc80a2c7b", + "sha256:37d0c59548ae56fae01c14998918d04ee0d5d3277363c10208eef8c4e2b68ed6", + "sha256:39d05e65f23a0fe897b6ac395f2a8d48c56ac0f583f5d663e0afec1da89b95da", + "sha256:3ad59efe24a4d54c2742929001f2d02803aafc15d6d781c21379e3f7f66ec842", + "sha256:3aed39db2f0ace76faa94f465d4234aac72e2f32b009f15da6492a561b3bbebd", + "sha256:3bbac1953c17252f9cc675bb19372444aadf0179b5df575ac4b56faaec9f6294", + "sha256:40bc802a696887b14c002edd43c18082cb7b6f9ee8b838239b03b56574d97f71", + "sha256:42f712b4668831c0cd85e0a5b5a308700fe068e37dcd24c0062904c4e372b093", + "sha256:448a66b8266de0b581246ca7cd6a73b8d98d15100fb7165974535fa3b577340e", + "sha256:485301ee56ce87a51ccb182a4b180d852c5cb2b3cb3a82f7d4714b4141119d8c", + "sha256:485747ee62da83366a44fbba963c5fe017860ad408ccd6cd99aa66ea80d32b2e", + "sha256:4cf0855a842c5b5c391dd32ca273b09e86abf8367572073bd1edfc52bc44446b", + "sha256:4eca20917a06d2fca7628ef3c8b94a8c358f6b43f1a621c9815243462dcccf97", + "sha256:4ed172d0c79f156c1b954e99c03bc2e3033c17efce8dd1a7c781bc4d5793dfac", + "sha256:5267cfda873ad62591b9332fd9472d2409f7cf02a34a9c9cb367e2c0255994bf", + "sha256:52b5cbc0469328e58180021138207e6ec91d7ca2e037d3549cc9e34e2187330a", + "sha256:53d7a3cd46cdc1689296348cb05ffd4f4280035770aee0c8ead3bbd4d6529acc", + "sha256:563646d74a4b4456d0cf3b714ca522e725243c603e8254ad85c3b59b7c0c4bf0", + "sha256:570cc326e78ff23dec7f41487aa9c3dffd02e5ee9ab43a8f6ccc3df8f9327623", + "sha256:5aca759ada6b1967fcfd4336dcf460d02a8a23e6abe06e90ea7881e5c22c4de6", + "sha256:5de11c041486681ce854c814844f4ce3282b6ea1656faae19208ebe09d31c5b8", + "sha256:5e271dd97c7bb8eefda5cca38cd0b0373a1fea50f71e8071376b46968582af9b", + "sha256:642ed0a209ced4be3a46f8cb094f2d76f1f479e2a1ceca6de6346a096cd3409d", + "sha256:6446002739ca29249f0beaaf067fcbc2b5aab4bc7ee8fb941bd194947ce19aff", + "sha256:691d50c99a937709ac4c4cd570d959a006bd6a6d970a484c84cc99543d4a5bbb", + "sha256:69b857a7d8bd4f5d6e0db4086da8c46309a26e8cefdfc778c0c5cc17d4b11e08", + "sha256:6ac3fefb0d168c7c6cab24fdfc80ec62cd2b4dfd9e65b84bdceb1cb01d385c33", + "sha256:6c9141af27a4e5819d74d67d227d5047a20fa3c7d4d9df43037a955b4c748ec5", + "sha256:7170cbde4070dc3c77dec82abf86f3b210633d4f89550fa0ad2d4b549a05572a", + "sha256:763ad59e105fca09705d9f9b29ecffb95ecdc3b0363be3bb56081b2c6de7977a", + "sha256:77076bdc8776a2b029e1e6ffbe6d7056e35f56f5e80d9dc0bad26ad4a024a762", + "sha256:7cd020b1fb41e3ab7716d4d2c3972d4588fdfbab9bfbbb64acc7078eccef8860", + "sha256:821392559d37759caa67d622d0d2994c7a3f2fb29274948ac799d496d92bca73", + "sha256:829e91f3a8574888b73e7a3feb3b1af698e717513597e23136ff4eba0bc8387a", + "sha256:850c272e0e0d1a5c5d73b1b7871b0a7c2446b304cec55ccdb3eaac0d792bb065", + "sha256:87d9b206b1bd7a0523375dc2020a6ce88bca5330682ae2fe25e86fd5d45cea9c", + "sha256:8bd01ff4032abaed03f2db702fa9a61078bee37add0bd884a6190b05e63b028c", + "sha256:8d54bbdf5d56e2c8cf81a1857250f3ea132de77af543d0ba5dce667183b61fec", + "sha256:8efaeb08ede95066da3a3e3c420fcc0a21693fcd0c4396d0585b019613d28515", + "sha256:8f94fdd756ba1f79f988855d948ae0bad9ddf44df296770d9a58c774cfbcca72", + "sha256:95cde244e7195b2c07ec9b73fa4c5026d4a27233451485caa1cd0c1b55f26dbd", + "sha256:975382d9aa90dc59253d6a83a5ca72e07f4ada3ae3d6c0575ced513db322b8ec", + "sha256:9dd9d9d9e898b9d30683bdd2b6c1849449158647d1049a125879cb397ee9cd12", + "sha256:a019a344312d0b1f429c00d49c3be62fa273d4a1094e1b224f403716b6d03be1", + "sha256:a4d9bfda3f84fc563868fe25ca160c8ff0e69bc4443c5647f960d59400ce6557", + "sha256:a657250807b6efd19b28f5922520ae002a54cb43c2401e6f3d0230c352564d25", + "sha256:a771417c9c06c56c9d53d11a5b084d1de75de82978e23c544270ab25e7c066ff", + "sha256:aad6ed9e70ddfb34d849b761fb243be58c735be6a9265b9060d6ddb77751e3e8", + "sha256:ae87137951bb3dc08c7d8bfb8988d8c119f3230731b08a71146e84aaa919a7a9", + "sha256:af247fd4f12cca4129c1b82090244ea5a9d5bb089e9a82feb5a2f7c6a9fe181d", + "sha256:b5d4bdd697195f3876d134101c40c7d06d46c6ab25159ed5cbd44105c715278a", + "sha256:b9255e7165083de7c1d605e818025e8860636348f34a79d84ec533546064f07e", + "sha256:c22211c165166de6683de8136229721f3d5c8606cc2c3d1562da9a3a5058049c", + "sha256:c55f9821f88e8bee4b7a72c82cfb5ecd22b6aad04033334f33c329b29bfa4da0", + "sha256:c7aed97f2e676561416c927b063802c8a6285e9b55e1b83213dfd99a8f4f9e48", + "sha256:cd2163f42868865597d89399a01aa33b7594ce8e2c4a28503127c81a2f17784e", + "sha256:ce5e7504db95b76fc89055c7f41e367eaadef5b1d059e27e1d6eabf2b55ca314", + "sha256:cff7351c251c7546407827b6a37bcef6416304fc54d12d44dbfecbb717064717", + "sha256:d27aa6bbc1f33be920bb7adbb95581452cdf23005d5611b29a12bb6a3468cc95", + "sha256:d3b52a67ac66a3a64a7e710ba629f62d1e26ca0504c29ee8cbd99b97df7079a8", + "sha256:de61e424062173b4f70eec07e12469edde7e17fa180019a2a0d75c13a5c5dc57", + "sha256:e10e6a1ed2b8661201e79dff5531f8ad4cdd83548a0f81c95cf79b3184b20c33", + "sha256:e1a0ffc39f51aa5f5c22114a8f1906b3c17eba68c5babb86c5f77d8b1bba14d1", + "sha256:e22491d25f97199fc3581ad8dd8ce198d8c8fdb8dae80dea3512e1ce6d5fa99f", + "sha256:e626b864725680cd3904414d72e7b0bd81c0e5b2b53a5b30b4273034253bb41f", + "sha256:e8c71ea77536149e36c4c784f6d420ffd20bea041e3ba21ed021cb40ce58e2c9", + "sha256:e8d0f0eca087630d58b8c662085529781fd5dc80f0a54eda42d5c9029f812599", + "sha256:ea65b59882d5fa8c74a23f8960db579e5e341534934f43f3b18ec1839b893e41", + "sha256:ea93163472db26ac6043e8f7f93a05d9b59e0505c760da2a3cd22c7dd7111391", + "sha256:eab75a8569a095f2ad470b342f2751d9902f7944704f0571c8af46bede438475", + "sha256:ed8313809571a5463fd7db43aaca68ecb43ca7a58f5b23b6e6c6c5d02bdc7882", + "sha256:ef5fddfb264e89c435be4adb3953cef5d2936fdeb4463b4161a6ba2f22e7b740", + "sha256:ef750a20de1b65657a1425f77c525b0183eac63fe7b8f5ac0dd16f3668d3e64f", + "sha256:efb9ece97e696bb56e31166a9dd7919f8f0c6b31967b454718c6509f29ef6fee", + "sha256:f4c179a7aeae10ddf44c6bac87938134c1379c49c884529f090f9bf05566c836", + "sha256:f602881d80ee4228a2355c68da6b296a296cd22bbb91e5418d54577bbf17fa7c", + "sha256:fc2200e79d75b5238c8d69f6a30f8284290c777039d331e7340b6c17cad24a5a", + "sha256:fcc1ebb7561a3e24a6588f7c6ded15d80aec22c66a070c757559b57b17ffd1cb" + ], + "markers": "python_version >= '3.8'", + "version": "==0.10.3" + }, + "rustworkx": { + "hashes": [ + "sha256:030203b24c5742e3f3425266cc7d12f82223d97900a5beacdcd18c35383df318", + "sha256:0847a4464902f8154c8cb89ed5ebcc4a49542b004cfc71eeb4ed0b1e0547d10c", + "sha256:0b3a09b78bd4ac589c5e2f0413c777e7dec94c704e47e39fa5a1737f7c31715d", + "sha256:115e892dd5a38f0a9b81e188cef64136e59734cb27b5e27dcd677d0491829425", + "sha256:156ea240f3a5f6d80dd23d198162ad997359da11b80257aa36fcd891889edfcf", + "sha256:1ac7aa312779d913f4f8159fdc9b7d31eca7667afa4a20c0bebb97d5e06be703", + "sha256:1f6828ec18d47d0e435492aef2825739f68afecf1f8686ddee8b4c88c5fd3af0", + "sha256:1fc94714c3738bde40c772c82c3efa8c8bdf0dac711fe8bb3cf2306839d97ec1", + "sha256:40784246b0176f1b6a3ff74914f849dccfefee5213ab41c020abe1f8ded488b8", + "sha256:42ad8c94ede16c8a325d661ebee7dacef11f409a2bcb5125840ebe80d9629c36", + "sha256:48e9a1d05e9909b7a5fb0dac2324b0fb621222e4b0a830b7ed30f1c0001ec39e", + "sha256:4b152061872053edea38ad543b582d071cf09cc494d4b15f5310874b905179cf", + "sha256:4b3570369bf90b76dd1ac87c077aecc9ca7e9c7d8083d658c12f98acbb94d6a3", + "sha256:5207507bbebc034006c117cf568009eb18ebe1b47ef550d77781fccb5f089a97", + "sha256:58990e9596c02643941c940a20be99013defcc05dac2eb4ae21cc2f7b3143832", + "sha256:5f978007be9c10c211985d2abb680c019d99cb23c46c56d2712968c1c4dabb0d", + "sha256:64fee8e7d25d1648d1bdcb25907539c6c9d2e5ec7f22ed76f8c9dd9b6479ffa1", + "sha256:689cc3476f27b57fd4cc8f47140410496b811eab0325fd30b21721772e6e5e4f", + "sha256:6a4008cccf2efe9441322b95fdd503ace77798c14515fa97a8920a426c5d1015", + "sha256:6c910ccd1e7ca7fa2d60436122e2a0f0a4f23a32a1c56e05b6a850741b6e3ac6", + "sha256:7acab7603e9c14f2207c3de4efb62bfeddcb4780c5cf037aac374b209d3b85cb", + "sha256:7b33861d68807eeef1d188eb05540be878bb8b67bab74d74243e0bcbe2c0a54a", + "sha256:86fc5db9da1c1d2748442b533a3eeaa55b672127a04f2a339436a12c056ccc52", + "sha256:87b54064cbd1a778ea8101c5713a1175cbfcbf694fba28b05c1339267a54be4b", + "sha256:87c6e77ffe565bd7a00d12814e2212dcbcd519d21539005d68f94e199d1fed0a", + "sha256:87cfa52047f77d5cb31c6e8537800bcc95f817e6481fe73fbd2db9643b896ab7", + "sha256:8bf3f636ffba33832f73dbb5937cfad37113a38b8c169be15e9d54c396fc33a8", + "sha256:97f0f6ad00374a21b2597ec0861aea6b5ae93f9464b74e34521a09516a6b13df", + "sha256:a1513124d021e91d965ebf09e30e2ddae47abcc785a72944522fd02db835edce", + "sha256:a1cf5894a8a03e431d106d174052feb37b45514e7a9c9300cc1ec95cf42d7acd", + "sha256:a2436e9b67a77ef88d024437de4c36477ac7c60c1c9a4244108d5af54b55688b", + "sha256:a61504a383afc112c2e137607dd519b204e74b3f7d1f31dc6e1230a23faee42a", + "sha256:ab0dd3ca9b450c3151258fb3c914841e2d72d3413628c19ceb3471a29581b483", + "sha256:ae06d002c3a52eae507517527735d6b23b222c66fbc6fc085481565e59c84291", + "sha256:b3f4b7ee14d206f6a899f82fd5e719b6fb0fdb5862133446939c63dc2a72b498", + "sha256:d1e69b0c33130a64b4fe062239ba8908720a202775642bc0bce80878016bbd28", + "sha256:da43ac860de5cebe464f3c8e4ee5e5d1665907299df36f6da22078419157c03a", + "sha256:dad268861aaddf93ad453ce88af153f3c3e622cc8ec6899fb167e1a5f8835b9c", + "sha256:e76c67896030c9edd9823c2937ac6bfa1ce58bae580a8214596b687b6011a487", + "sha256:ecf19818eb71ce2ce15044164fdd4c03d952a2ad05a38ca2df06c90fc35cf1f9", + "sha256:f2d968ba9da4cbf343ff7aee80a7e97e0d127fa0d5d4a2f456b86bfd3c324d58" + ], + "index": "pypi", + "markers": "python_version >= '3.7'", + "version": "==0.13.1" + }, "s3transfer": { "hashes": [ - "sha256:b014be3a8a2aab98cfe1abc7229cc5a9a0cf05eb9c1f2b86b230fd8df3f78084", - "sha256:cab66d3380cca3e70939ef2255d01cd8aece6a4907a9528740f668c4b0611861" + "sha256:10d6923c6359175f264811ef4bf6161a3156ce8e350e705396a7557d6293c33a", + "sha256:fd3889a66f5fe17299fe75b82eae6cf722554edca744ca5d5fe308b104883d2e" ], "markers": "python_version >= '3.7'", - "version": "==0.6.2" + "version": "==0.7.0" }, "schema": { "hashes": [ @@ -1296,15 +1481,16 @@ "sha256:de78a3b8e0feda74cabc54aab2da702113e33ac9d9eb9d2389bcf1f58b7d9177" ], "index": "pypi", + "markers": "python_version >= '2.7'", "version": "==2.10.0" }, "setuptools": { "hashes": [ - "sha256:11e52c67415a381d10d6b462ced9cfb97066179f0e871399e006c4ab101fc85f", - "sha256:baf1fdb41c6da4cd2eae722e135500da913332ab3f2f5c7d33af9b492acb5235" + "sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87", + "sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a" ], - "markers": "python_version >= '3.7'", - "version": "==68.0.0" + "markers": "python_version >= '3.8'", + "version": "==68.2.2" }, "six": { "hashes": [ @@ -1316,11 +1502,11 @@ }, "smmap": { "hashes": [ - "sha256:2aba19d6a040e78d8b09de5c57e96207b09ed71d8e55ce0959eeee6c8e190d94", - "sha256:c840e62059cd3be204b0c9c9f74be2c09d5648eddd4580d9314c3ecde0b30936" + "sha256:dceeb6c0028fdb6734471eb07c0cd2aae706ccaecab45965ee83f11c8d3b1f62", + "sha256:e6d8668fa5f93e706934a62d7b4db19c8d9eb8cf2adbb75ef1b675aa332b69da" ], - "markers": "python_version >= '3.6'", - "version": "==5.0.0" + "markers": "python_version >= '3.7'", + "version": "==5.0.1" }, "sortedcontainers": { "hashes": [ @@ -1331,11 +1517,11 @@ }, "soupsieve": { "hashes": [ - "sha256:1c1bfee6819544a3447586c889157365a27e10d88cde3ad3da0cf0ddf646feb8", - "sha256:89d12b2d5dfcd2c9e8c22326da9d9aa9cb3dfab0a83a024f05704076ee8d35ea" + "sha256:5663d5a7b3bfaeee0bc4372e7fc48f9cff4940b3eec54a6451cc5299f1097690", + "sha256:eaa337ff55a1579b6549dc679565eac1e3d000563bcb1c8ab0d0fefbc0c2cdc7" ], - "markers": "python_version >= '3.7'", - "version": "==2.4.1" + "markers": "python_version >= '3.8'", + "version": "==2.5" }, "spdx-tools": { "hashes": [ @@ -1343,6 +1529,7 @@ "sha256:c83652cd65b5726058dcbdaab85839dbe484c43ea6f61046137516aa1b8428ae" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==0.8.1" }, "tabulate": { @@ -1351,6 +1538,7 @@ "sha256:024ca478df22e9340661486f85298cff5f6dcdba14f3813e8830015b9ed1948f" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==0.9.0" }, "termcolor": { @@ -1359,14 +1547,15 @@ "sha256:b5b08f68937f138fe92f6c089b99f1e2da0ae56c52b78bf7075fd95420fd9a5a" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==2.3.0" }, "texttable": { "hashes": [ - "sha256:290348fb67f7746931bcdfd55ac7584ecd4e5b0846ab164333f0794b121760f2", - "sha256:b7b68139aa8a6339d2c320ca8b1dc42d13a7831a346b446cb9eb385f0c76310c" + "sha256:2d2068fb55115807d3ac77a4ca68fa48803e84ebb0ee2340f858107a36522638", + "sha256:72227d592c82b3d7f672731ae73e4d1f88cd8e2ef5b075a7a7f01a23a3743917" ], - "version": "==1.6.7" + "version": "==1.7.0" }, "toml": { "hashes": [ @@ -1382,15 +1571,17 @@ "sha256:d88e651f9db8d8551a62556d3cff9e3034274ca5d66e93197cf2490e2dcb69c7" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==4.66.1" }, "typing-extensions": { "hashes": [ - "sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36", - "sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2" + "sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0", + "sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef" ], "index": "pypi", - "version": "==4.7.1" + "markers": "python_version >= '3.8'", + "version": "==4.8.0" }, "unidiff": { "hashes": [ @@ -1417,26 +1608,27 @@ }, "urllib3": { "hashes": [ - "sha256:8d36afa7616d8ab714608411b4a3b13e58f463aee519024578e062e141dce20f", - "sha256:8f135f6502756bde6b2a9b28989df5fbe87c9970cecaa69041edcce7f0589b14" + "sha256:24d6a242c28d29af46c3fae832c36db3bbebcc533dd1bb549172cd739c82df21", + "sha256:94a757d178c9be92ef5539b8840d48dc9cf1b2709c9d6b588232a055c524458b" ], + "index": "pypi", "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", - "version": "==1.26.16" + "version": "==1.26.17" }, "wcwidth": { "hashes": [ - "sha256:795b138f6875577cd91bba52baf9e445cd5118fd32723b460e30a0af30ea230e", - "sha256:a5220780a404dbe3353789870978e472cfe477761f06ee55077256e509b156d0" + "sha256:77f719e01648ed600dfa5402c347481c0992263b81a027344f3e1ba25493a704", + "sha256:8705c569999ffbb4f6a87c6d1b80f324bd6db952f5eb0b95bc07517f4c1813d4" ], - "version": "==0.2.6" + "version": "==0.2.8" }, "websocket-client": { "hashes": [ - "sha256:c951af98631d24f8df89ab1019fc365f2227c0892f12fd150e935607c79dd0dd", - "sha256:f1f9f2ad5291f0225a49efad77abf9e700b6fef553900623060dad6e26503b9d" + "sha256:3aad25d31284266bcfcfd1fd8a743f63282305a364b8d0948a43bd606acc652f", + "sha256:6cfc30d051ebabb73a5fa246efdcc14c8fbebbd0330f8984ac3bb6d9edd2ad03" ], - "markers": "python_version >= '3.7'", - "version": "==1.6.1" + "markers": "python_version >= '3.8'", + "version": "==1.6.3" }, "xmltodict": { "hashes": [ @@ -1524,15 +1716,16 @@ "sha256:f7a3d8146575e08c29ed1cd287068e6d02f1c7bdff8970db96683b9591b86ee7" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==1.9.2" }, "zipp": { "hashes": [ - "sha256:112929ad649da941c23de50f356a2b5570c954b65150642bccdd66bf194d224b", - "sha256:48904fc76a60e542af151aded95726c1a5c34ed43ab4134b597665c86d7ad556" + "sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31", + "sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0" ], - "markers": "python_version >= '3.7'", - "version": "==3.15.0" + "markers": "python_version >= '3.8'", + "version": "==3.17.0" } }, "develop": { @@ -1627,6 +1820,7 @@ "sha256:fd1ed388ea7fbed22c4968dd64bab0198de60750a25fe8c0c9d4bef5abe13824" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==3.8.5" }, "aioresponses": { @@ -1653,14 +1847,6 @@ "markers": "python_version >= '3.7'", "version": "==4.0.3" }, - "asynctest": { - "hashes": [ - "sha256:5da6118a7e6d6b54d83a8f7197769d046922a44d2a99c21382f0a6e4fadae676", - "sha256:c27862842d15d83e6a34eb0b2866c323880eb3a75e4485b079ea11748fd77fac" - ], - "markers": "python_version < '3.8'", - "version": "==0.13.0" - }, "attrs": { "hashes": [ "sha256:1f28b4522cdc2fb4256ac1a020c78acf9cba2c6b461ccd2c126f3aa8e8335d04", @@ -1675,6 +1861,7 @@ "sha256:bdfc739baa03b880c2d15d0431b31c658ffc348e907fe197e54e0389dd59e11e" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==1.7.5" }, "boto3-stubs-lite": { @@ -1682,19 +1869,19 @@ "s3" ], "hashes": [ - "sha256:314ca9a377418a7edf243e2d014b87901e814fd10494b2e86be6c48b1bd5a4c5", - "sha256:a0f63333888f6ded33d92f5ef3a1cdeed313498e51b0d47ab2b0026cc7c94954" + "sha256:7bf6af1a994f70c31e0fbabd5053494ad233e8b450238aea6831de02564e45b0", + "sha256:94055f94b3179e7ee956172614792ed9749ed1c330913fb5fe2063788cb092dd" ], - "index": "pypi", - "version": "==1.28.40" + "markers": "python_version >= '3.7'", + "version": "==1.28.57" }, "botocore-stubs": { "hashes": [ - "sha256:2001a253daf4ae2e171e6137b9982a00a7fbfc7a53449a16856dc049e7cd5214", - "sha256:aab534d7e7949cd543bc9b2fadc1a36712033cb00e6f31e2475eefe8486d19ae" + "sha256:756566be75b672a8f876055a42b7620f008dda596b428a008ef531c26cb1d7b4", + "sha256:de57adb5e7162bc93a3a95bd2b93f4c03c6cfd6ebc34c1bac7f6784b05f1cd16" ], "markers": "python_version >= '3.7' and python_version < '4.0'", - "version": "==1.31.40" + "version": "==1.31.59" }, "certifi": { "hashes": [ @@ -1706,92 +1893,108 @@ }, "cfgv": { "hashes": [ - "sha256:c6a0883f3917a037485059700b9e75da2464e6c27051014ad85ba6aaa5884426", - "sha256:f5a830efb9ce7a445376bb66ec94c638a9787422f96264c98edc6bdeed8ab736" + "sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9", + "sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560" ], - "markers": "python_full_version >= '3.6.1'", - "version": "==3.3.1" + "markers": "python_version >= '3.8'", + "version": "==3.4.0" }, "charset-normalizer": { "hashes": [ - "sha256:04e57ab9fbf9607b77f7d057974694b4f6b142da9ed4a199859d9d4d5c63fe96", - "sha256:09393e1b2a9461950b1c9a45d5fd251dc7c6f228acab64da1c9c0165d9c7765c", - "sha256:0b87549028f680ca955556e3bd57013ab47474c3124dc069faa0b6545b6c9710", - "sha256:1000fba1057b92a65daec275aec30586c3de2401ccdcd41f8a5c1e2c87078706", - "sha256:1249cbbf3d3b04902ff081ffbb33ce3377fa6e4c7356f759f3cd076cc138d020", - "sha256:1920d4ff15ce893210c1f0c0e9d19bfbecb7983c76b33f046c13a8ffbd570252", - "sha256:193cbc708ea3aca45e7221ae58f0fd63f933753a9bfb498a3b474878f12caaad", - "sha256:1a100c6d595a7f316f1b6f01d20815d916e75ff98c27a01ae817439ea7726329", - "sha256:1f30b48dd7fa1474554b0b0f3fdfdd4c13b5c737a3c6284d3cdc424ec0ffff3a", - "sha256:203f0c8871d5a7987be20c72442488a0b8cfd0f43b7973771640fc593f56321f", - "sha256:246de67b99b6851627d945db38147d1b209a899311b1305dd84916f2b88526c6", - "sha256:2dee8e57f052ef5353cf608e0b4c871aee320dd1b87d351c28764fc0ca55f9f4", - "sha256:2efb1bd13885392adfda4614c33d3b68dee4921fd0ac1d3988f8cbb7d589e72a", - "sha256:2f4ac36d8e2b4cc1aa71df3dd84ff8efbe3bfb97ac41242fbcfc053c67434f46", - "sha256:3170c9399da12c9dc66366e9d14da8bf7147e1e9d9ea566067bbce7bb74bd9c2", - "sha256:3b1613dd5aee995ec6d4c69f00378bbd07614702a315a2cf6c1d21461fe17c23", - "sha256:3bb3d25a8e6c0aedd251753a79ae98a093c7e7b471faa3aa9a93a81431987ace", - "sha256:3bb7fda7260735efe66d5107fb7e6af6a7c04c7fce9b2514e04b7a74b06bf5dd", - "sha256:41b25eaa7d15909cf3ac4c96088c1f266a9a93ec44f87f1d13d4a0e86c81b982", - "sha256:45de3f87179c1823e6d9e32156fb14c1927fcc9aba21433f088fdfb555b77c10", - "sha256:46fb8c61d794b78ec7134a715a3e564aafc8f6b5e338417cb19fe9f57a5a9bf2", - "sha256:48021783bdf96e3d6de03a6e39a1171ed5bd7e8bb93fc84cc649d11490f87cea", - "sha256:4957669ef390f0e6719db3613ab3a7631e68424604a7b448f079bee145da6e09", - "sha256:5e86d77b090dbddbe78867a0275cb4df08ea195e660f1f7f13435a4649e954e5", - "sha256:6339d047dab2780cc6220f46306628e04d9750f02f983ddb37439ca47ced7149", - "sha256:681eb3d7e02e3c3655d1b16059fbfb605ac464c834a0c629048a30fad2b27489", - "sha256:6c409c0deba34f147f77efaa67b8e4bb83d2f11c8806405f76397ae5b8c0d1c9", - "sha256:7095f6fbfaa55defb6b733cfeb14efaae7a29f0b59d8cf213be4e7ca0b857b80", - "sha256:70c610f6cbe4b9fce272c407dd9d07e33e6bf7b4aa1b7ffb6f6ded8e634e3592", - "sha256:72814c01533f51d68702802d74f77ea026b5ec52793c791e2da806a3844a46c3", - "sha256:7a4826ad2bd6b07ca615c74ab91f32f6c96d08f6fcc3902ceeedaec8cdc3bcd6", - "sha256:7c70087bfee18a42b4040bb9ec1ca15a08242cf5867c58726530bdf3945672ed", - "sha256:855eafa5d5a2034b4621c74925d89c5efef61418570e5ef9b37717d9c796419c", - "sha256:8700f06d0ce6f128de3ccdbc1acaea1ee264d2caa9ca05daaf492fde7c2a7200", - "sha256:89f1b185a01fe560bc8ae5f619e924407efca2191b56ce749ec84982fc59a32a", - "sha256:8b2c760cfc7042b27ebdb4a43a4453bd829a5742503599144d54a032c5dc7e9e", - "sha256:8c2f5e83493748286002f9369f3e6607c565a6a90425a3a1fef5ae32a36d749d", - "sha256:8e098148dd37b4ce3baca71fb394c81dc5d9c7728c95df695d2dca218edf40e6", - "sha256:94aea8eff76ee6d1cdacb07dd2123a68283cb5569e0250feab1240058f53b623", - "sha256:95eb302ff792e12aba9a8b8f8474ab229a83c103d74a750ec0bd1c1eea32e669", - "sha256:9bd9b3b31adcb054116447ea22caa61a285d92e94d710aa5ec97992ff5eb7cf3", - "sha256:9e608aafdb55eb9f255034709e20d5a83b6d60c054df0802fa9c9883d0a937aa", - "sha256:a103b3a7069b62f5d4890ae1b8f0597618f628b286b03d4bc9195230b154bfa9", - "sha256:a386ebe437176aab38c041de1260cd3ea459c6ce5263594399880bbc398225b2", - "sha256:a38856a971c602f98472050165cea2cdc97709240373041b69030be15047691f", - "sha256:a401b4598e5d3f4a9a811f3daf42ee2291790c7f9d74b18d75d6e21dda98a1a1", - "sha256:a7647ebdfb9682b7bb97e2a5e7cb6ae735b1c25008a70b906aecca294ee96cf4", - "sha256:aaf63899c94de41fe3cf934601b0f7ccb6b428c6e4eeb80da72c58eab077b19a", - "sha256:b0dac0ff919ba34d4df1b6131f59ce95b08b9065233446be7e459f95554c0dc8", - "sha256:baacc6aee0b2ef6f3d308e197b5d7a81c0e70b06beae1f1fcacffdbd124fe0e3", - "sha256:bf420121d4c8dce6b889f0e8e4ec0ca34b7f40186203f06a946fa0276ba54029", - "sha256:c04a46716adde8d927adb9457bbe39cf473e1e2c2f5d0a16ceb837e5d841ad4f", - "sha256:c0b21078a4b56965e2b12f247467b234734491897e99c1d51cee628da9786959", - "sha256:c1c76a1743432b4b60ab3358c937a3fe1341c828ae6194108a94c69028247f22", - "sha256:c4983bf937209c57240cff65906b18bb35e64ae872da6a0db937d7b4af845dd7", - "sha256:c4fb39a81950ec280984b3a44f5bd12819953dc5fa3a7e6fa7a80db5ee853952", - "sha256:c57921cda3a80d0f2b8aec7e25c8aa14479ea92b5b51b6876d975d925a2ea346", - "sha256:c8063cf17b19661471ecbdb3df1c84f24ad2e389e326ccaf89e3fb2484d8dd7e", - "sha256:ccd16eb18a849fd8dcb23e23380e2f0a354e8daa0c984b8a732d9cfaba3a776d", - "sha256:cd6dbe0238f7743d0efe563ab46294f54f9bc8f4b9bcf57c3c666cc5bc9d1299", - "sha256:d62e51710986674142526ab9f78663ca2b0726066ae26b78b22e0f5e571238dd", - "sha256:db901e2ac34c931d73054d9797383d0f8009991e723dab15109740a63e7f902a", - "sha256:e03b8895a6990c9ab2cdcd0f2fe44088ca1c65ae592b8f795c3294af00a461c3", - "sha256:e1c8a2f4c69e08e89632defbfabec2feb8a8d99edc9f89ce33c4b9e36ab63037", - "sha256:e4b749b9cc6ee664a3300bb3a273c1ca8068c46be705b6c31cf5d276f8628a94", - "sha256:e6a5bf2cba5ae1bb80b154ed68a3cfa2fa00fde979a7f50d6598d3e17d9ac20c", - "sha256:e857a2232ba53ae940d3456f7533ce6ca98b81917d47adc3c7fd55dad8fab858", - "sha256:ee4006268ed33370957f55bf2e6f4d263eaf4dc3cfc473d1d90baff6ed36ce4a", - "sha256:eef9df1eefada2c09a5e7a40991b9fc6ac6ef20b1372abd48d2794a316dc0449", - "sha256:f058f6963fd82eb143c692cecdc89e075fa0828db2e5b291070485390b2f1c9c", - "sha256:f25c229a6ba38a35ae6e25ca1264621cc25d4d38dca2942a7fce0b67a4efe918", - "sha256:f2a1d0fd4242bd8643ce6f98927cf9c04540af6efa92323e9d3124f57727bfc1", - "sha256:f7560358a6811e52e9c4d142d497f1a6e10103d3a6881f18d04dbce3729c0e2c", - "sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac", - "sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa" - ], - "index": "pypi", - "version": "==3.2.0" + "sha256:02673e456dc5ab13659f85196c534dc596d4ef260e4d86e856c3b2773ce09843", + "sha256:02af06682e3590ab952599fbadac535ede5d60d78848e555aa58d0c0abbde786", + "sha256:03680bb39035fbcffe828eae9c3f8afc0428c91d38e7d61aa992ef7a59fb120e", + "sha256:0570d21da019941634a531444364f2482e8db0b3425fcd5ac0c36565a64142c8", + "sha256:09c77f964f351a7369cc343911e0df63e762e42bac24cd7d18525961c81754f4", + "sha256:0d3d5b7db9ed8a2b11a774db2bbea7ba1884430a205dbd54a32d61d7c2a190fa", + "sha256:1063da2c85b95f2d1a430f1c33b55c9c17ffaf5e612e10aeaad641c55a9e2b9d", + "sha256:12ebea541c44fdc88ccb794a13fe861cc5e35d64ed689513a5c03d05b53b7c82", + "sha256:153e7b6e724761741e0974fc4dcd406d35ba70b92bfe3fedcb497226c93b9da7", + "sha256:15b26ddf78d57f1d143bdf32e820fd8935d36abe8a25eb9ec0b5a71c82eb3895", + "sha256:1872d01ac8c618a8da634e232f24793883d6e456a66593135aeafe3784b0848d", + "sha256:187d18082694a29005ba2944c882344b6748d5be69e3a89bf3cc9d878e548d5a", + "sha256:1b2919306936ac6efb3aed1fbf81039f7087ddadb3160882a57ee2ff74fd2382", + "sha256:232ac332403e37e4a03d209a3f92ed9071f7d3dbda70e2a5e9cff1c4ba9f0678", + "sha256:23e8565ab7ff33218530bc817922fae827420f143479b753104ab801145b1d5b", + "sha256:24817cb02cbef7cd499f7c9a2735286b4782bd47a5b3516a0e84c50eab44b98e", + "sha256:249c6470a2b60935bafd1d1d13cd613f8cd8388d53461c67397ee6a0f5dce741", + "sha256:24a91a981f185721542a0b7c92e9054b7ab4fea0508a795846bc5b0abf8118d4", + "sha256:2502dd2a736c879c0f0d3e2161e74d9907231e25d35794584b1ca5284e43f596", + "sha256:250c9eb0f4600361dd80d46112213dff2286231d92d3e52af1e5a6083d10cad9", + "sha256:278c296c6f96fa686d74eb449ea1697f3c03dc28b75f873b65b5201806346a69", + "sha256:2935ffc78db9645cb2086c2f8f4cfd23d9b73cc0dc80334bc30aac6f03f68f8c", + "sha256:2f4a0033ce9a76e391542c182f0d48d084855b5fcba5010f707c8e8c34663d77", + "sha256:30a85aed0b864ac88309b7d94be09f6046c834ef60762a8833b660139cfbad13", + "sha256:380c4bde80bce25c6e4f77b19386f5ec9db230df9f2f2ac1e5ad7af2caa70459", + "sha256:3ae38d325b512f63f8da31f826e6cb6c367336f95e418137286ba362925c877e", + "sha256:3b447982ad46348c02cb90d230b75ac34e9886273df3a93eec0539308a6296d7", + "sha256:3debd1150027933210c2fc321527c2299118aa929c2f5a0a80ab6953e3bd1908", + "sha256:4162918ef3098851fcd8a628bf9b6a98d10c380725df9e04caf5ca6dd48c847a", + "sha256:468d2a840567b13a590e67dd276c570f8de00ed767ecc611994c301d0f8c014f", + "sha256:4cc152c5dd831641e995764f9f0b6589519f6f5123258ccaca8c6d34572fefa8", + "sha256:542da1178c1c6af8873e143910e2269add130a299c9106eef2594e15dae5e482", + "sha256:557b21a44ceac6c6b9773bc65aa1b4cc3e248a5ad2f5b914b91579a32e22204d", + "sha256:5707a746c6083a3a74b46b3a631d78d129edab06195a92a8ece755aac25a3f3d", + "sha256:588245972aca710b5b68802c8cad9edaa98589b1b42ad2b53accd6910dad3545", + "sha256:5adf257bd58c1b8632046bbe43ee38c04e1038e9d37de9c57a94d6bd6ce5da34", + "sha256:619d1c96099be5823db34fe89e2582b336b5b074a7f47f819d6b3a57ff7bdb86", + "sha256:63563193aec44bce707e0c5ca64ff69fa72ed7cf34ce6e11d5127555756fd2f6", + "sha256:67b8cc9574bb518ec76dc8e705d4c39ae78bb96237cb533edac149352c1f39fe", + "sha256:6a685067d05e46641d5d1623d7c7fdf15a357546cbb2f71b0ebde91b175ffc3e", + "sha256:70f1d09c0d7748b73290b29219e854b3207aea922f839437870d8cc2168e31cc", + "sha256:750b446b2ffce1739e8578576092179160f6d26bd5e23eb1789c4d64d5af7dc7", + "sha256:7966951325782121e67c81299a031f4c115615e68046f79b85856b86ebffc4cd", + "sha256:7b8b8bf1189b3ba9b8de5c8db4d541b406611a71a955bbbd7385bbc45fcb786c", + "sha256:7f5d10bae5d78e4551b7be7a9b29643a95aded9d0f602aa2ba584f0388e7a557", + "sha256:805dfea4ca10411a5296bcc75638017215a93ffb584c9e344731eef0dcfb026a", + "sha256:81bf654678e575403736b85ba3a7867e31c2c30a69bc57fe88e3ace52fb17b89", + "sha256:82eb849f085624f6a607538ee7b83a6d8126df6d2f7d3b319cb837b289123078", + "sha256:85a32721ddde63c9df9ebb0d2045b9691d9750cb139c161c80e500d210f5e26e", + "sha256:86d1f65ac145e2c9ed71d8ffb1905e9bba3a91ae29ba55b4c46ae6fc31d7c0d4", + "sha256:86f63face3a527284f7bb8a9d4f78988e3c06823f7bea2bd6f0e0e9298ca0403", + "sha256:8eaf82f0eccd1505cf39a45a6bd0a8cf1c70dcfc30dba338207a969d91b965c0", + "sha256:93aa7eef6ee71c629b51ef873991d6911b906d7312c6e8e99790c0f33c576f89", + "sha256:96c2b49eb6a72c0e4991d62406e365d87067ca14c1a729a870d22354e6f68115", + "sha256:9cf3126b85822c4e53aa28c7ec9869b924d6fcfb76e77a45c44b83d91afd74f9", + "sha256:9fe359b2e3a7729010060fbca442ca225280c16e923b37db0e955ac2a2b72a05", + "sha256:a0ac5e7015a5920cfce654c06618ec40c33e12801711da6b4258af59a8eff00a", + "sha256:a3f93dab657839dfa61025056606600a11d0b696d79386f974e459a3fbc568ec", + "sha256:a4b71f4d1765639372a3b32d2638197f5cd5221b19531f9245fcc9ee62d38f56", + "sha256:aae32c93e0f64469f74ccc730a7cb21c7610af3a775157e50bbd38f816536b38", + "sha256:aaf7b34c5bc56b38c931a54f7952f1ff0ae77a2e82496583b247f7c969eb1479", + "sha256:abecce40dfebbfa6abf8e324e1860092eeca6f7375c8c4e655a8afb61af58f2c", + "sha256:abf0d9f45ea5fb95051c8bfe43cb40cda383772f7e5023a83cc481ca2604d74e", + "sha256:ac71b2977fb90c35d41c9453116e283fac47bb9096ad917b8819ca8b943abecd", + "sha256:ada214c6fa40f8d800e575de6b91a40d0548139e5dc457d2ebb61470abf50186", + "sha256:b09719a17a2301178fac4470d54b1680b18a5048b481cb8890e1ef820cb80455", + "sha256:b1121de0e9d6e6ca08289583d7491e7fcb18a439305b34a30b20d8215922d43c", + "sha256:b3b2316b25644b23b54a6f6401074cebcecd1244c0b8e80111c9a3f1c8e83d65", + "sha256:b3d9b48ee6e3967b7901c052b670c7dda6deb812c309439adaffdec55c6d7b78", + "sha256:b5bcf60a228acae568e9911f410f9d9e0d43197d030ae5799e20dca8df588287", + "sha256:b8f3307af845803fb0b060ab76cf6dd3a13adc15b6b451f54281d25911eb92df", + "sha256:c2af80fb58f0f24b3f3adcb9148e6203fa67dd3f61c4af146ecad033024dde43", + "sha256:c350354efb159b8767a6244c166f66e67506e06c8924ed74669b2c70bc8735b1", + "sha256:c5a74c359b2d47d26cdbbc7845e9662d6b08a1e915eb015d044729e92e7050b7", + "sha256:c71f16da1ed8949774ef79f4a0260d28b83b3a50c6576f8f4f0288d109777989", + "sha256:d47ecf253780c90ee181d4d871cd655a789da937454045b17b5798da9393901a", + "sha256:d7eff0f27edc5afa9e405f7165f85a6d782d308f3b6b9d96016c010597958e63", + "sha256:d97d85fa63f315a8bdaba2af9a6a686e0eceab77b3089af45133252618e70884", + "sha256:db756e48f9c5c607b5e33dd36b1d5872d0422e960145b08ab0ec7fd420e9d649", + "sha256:dc45229747b67ffc441b3de2f3ae5e62877a282ea828a5bdb67883c4ee4a8810", + "sha256:e0fc42822278451bc13a2e8626cf2218ba570f27856b536e00cfa53099724828", + "sha256:e39c7eb31e3f5b1f88caff88bcff1b7f8334975b46f6ac6e9fc725d829bc35d4", + "sha256:e46cd37076971c1040fc8c41273a8b3e2c624ce4f2be3f5dfcb7a430c1d3acc2", + "sha256:e5c1502d4ace69a179305abb3f0bb6141cbe4714bc9b31d427329a95acfc8bdd", + "sha256:edfe077ab09442d4ef3c52cb1f9dab89bff02f4524afc0acf2d46be17dc479f5", + "sha256:effe5406c9bd748a871dbcaf3ac69167c38d72db8c9baf3ff954c344f31c4cbe", + "sha256:f0d1e3732768fecb052d90d62b220af62ead5748ac51ef61e7b32c266cac9293", + "sha256:f5969baeaea61c97efa706b9b107dcba02784b1601c74ac84f2a532ea079403e", + "sha256:f8888e31e3a85943743f8fc15e71536bda1c81d5aa36d014a3c0c44481d7db6e", + "sha256:fc52b79d83a3fe3a360902d3f5d79073a993597d48114c29485e9431092905d8" + ], + "index": "pypi", + "markers": "python_full_version >= '3.7.0'", + "version": "==3.3.0" }, "coverage": { "hashes": [ @@ -1849,6 +2052,7 @@ "sha256:f11642dddbb0253cc8853254301b51390ba0081750a8ac03f20ea8103f0c56b6" ], "index": "pypi", + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", "version": "==5.5" }, "coverage-badge": { @@ -1891,27 +2095,29 @@ }, "filelock": { "hashes": [ - "sha256:002740518d8aa59a26b0c76e10fb8c6e15eae825d34b6fdf670333fd7b938d81", - "sha256:cbb791cdea2a72f23da6ac5b5269ab0a0d161e9ef0100e653b69049a7706d1ec" + "sha256:08c21d87ded6e2b9da6728c3dff51baf1dcecf973b768ef35bcbc3447edb9ad4", + "sha256:2e6f249f1f3654291606e046b09f1fd5eac39b360664c27f5aad072012f8bcbd" ], - "markers": "python_version >= '3.7'", - "version": "==3.12.2" + "markers": "python_version >= '3.8'", + "version": "==3.12.4" }, "flake8": { "hashes": [ - "sha256:6fbe320aad8d6b95cec8b8e47bc933004678dc63095be98528b7bdd2a9f510db", - "sha256:7a1cf6b73744f5806ab95e526f6f0d8c01c66d7bbe349562d22dfca20610b248" + "sha256:d5b3857f07c030bdb5bf41c7f53799571d75c4491748a3adcd47de929e34cd23", + "sha256:ffdfce58ea94c6580c77888a86506937f9a1a227dfcd15f245d694ae20a6b6e5" ], "index": "pypi", - "version": "==5.0.4" + "markers": "python_full_version >= '3.8.1'", + "version": "==6.1.0" }, "flake8-bugbear": { "hashes": [ - "sha256:beb5c7efcd7ccc2039ef66a77bb8db925e7be3531ff1cb4d0b7030d0e2113d72", - "sha256:e3e7f74c8a49ad3794a7183353026dabd68c74030d5f46571f84c1fb0eb79363" + "sha256:90cf04b19ca02a682feb5aac67cae8de742af70538590509941ab10ae8351f71", + "sha256:b182cf96ea8f7a8595b2f87321d7d9b28728f4d9c3318012d896543d19742cb5" ], "index": "pypi", - "version": "==23.3.12" + "markers": "python_full_version >= '3.8.1'", + "version": "==23.9.16" }, "freezegun": { "hashes": [ @@ -1919,87 +2125,75 @@ "sha256:ea1b963b993cb9ea195adbd893a48d573fda951b0da64f60883d7e988b606c9f" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==1.2.2" }, "frozenlist": { "hashes": [ - "sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c", - "sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f", - "sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a", - "sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784", - "sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27", - "sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d", - "sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3", - "sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678", - "sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a", - "sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483", - "sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8", - "sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf", - "sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99", - "sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c", - "sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48", - "sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5", - "sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56", - "sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e", - "sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1", - "sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401", - "sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4", - "sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e", - "sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649", - "sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a", - "sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d", - "sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0", - "sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6", - "sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d", - "sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b", - "sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6", - "sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf", - "sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef", - "sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7", - "sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842", - "sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba", - "sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420", - "sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b", - "sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d", - "sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332", - "sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936", - "sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816", - "sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91", - "sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420", - "sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448", - "sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411", - "sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4", - "sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32", - "sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b", - "sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0", - "sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530", - "sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669", - "sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7", - "sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1", - "sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5", - "sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce", - "sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4", - "sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e", - "sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2", - "sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d", - "sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9", - "sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642", - "sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0", - "sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703", - "sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb", - "sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1", - "sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13", - "sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab", - "sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38", - "sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb", - "sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb", - "sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81", - "sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8", - "sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd", - "sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4" - ], - "markers": "python_version >= '3.7'", - "version": "==1.3.3" + "sha256:007df07a6e3eb3e33e9a1fe6a9db7af152bbd8a185f9aaa6ece10a3529e3e1c6", + "sha256:008eb8b31b3ea6896da16c38c1b136cb9fec9e249e77f6211d479db79a4eaf01", + "sha256:09163bdf0b2907454042edb19f887c6d33806adc71fbd54afc14908bfdc22251", + "sha256:0c7c1b47859ee2cac3846fde1c1dc0f15da6cec5a0e5c72d101e0f83dcb67ff9", + "sha256:0e5c8764c7829343d919cc2dfc587a8db01c4f70a4ebbc49abde5d4b158b007b", + "sha256:10ff5faaa22786315ef57097a279b833ecab1a0bfb07d604c9cbb1c4cdc2ed87", + "sha256:17ae5cd0f333f94f2e03aaf140bb762c64783935cc764ff9c82dff626089bebf", + "sha256:19488c57c12d4e8095a922f328df3f179c820c212940a498623ed39160bc3c2f", + "sha256:1a0848b52815006ea6596c395f87449f693dc419061cc21e970f139d466dc0a0", + "sha256:1e78fb68cf9c1a6aa4a9a12e960a5c9dfbdb89b3695197aa7064705662515de2", + "sha256:261b9f5d17cac914531331ff1b1d452125bf5daa05faf73b71d935485b0c510b", + "sha256:2b8bcf994563466db019fab287ff390fffbfdb4f905fc77bc1c1d604b1c689cc", + "sha256:38461d02d66de17455072c9ba981d35f1d2a73024bee7790ac2f9e361ef1cd0c", + "sha256:490132667476f6781b4c9458298b0c1cddf237488abd228b0b3650e5ecba7467", + "sha256:491e014f5c43656da08958808588cc6c016847b4360e327a62cb308c791bd2d9", + "sha256:515e1abc578dd3b275d6a5114030b1330ba044ffba03f94091842852f806f1c1", + "sha256:556de4430ce324c836789fa4560ca62d1591d2538b8ceb0b4f68fb7b2384a27a", + "sha256:5833593c25ac59ede40ed4de6d67eb42928cca97f26feea219f21d0ed0959b79", + "sha256:6221d84d463fb110bdd7619b69cb43878a11d51cbb9394ae3105d082d5199167", + "sha256:6918d49b1f90821e93069682c06ffde41829c346c66b721e65a5c62b4bab0300", + "sha256:6c38721585f285203e4b4132a352eb3daa19121a035f3182e08e437cface44bf", + "sha256:71932b597f9895f011f47f17d6428252fc728ba2ae6024e13c3398a087c2cdea", + "sha256:7211ef110a9194b6042449431e08c4d80c0481e5891e58d429df5899690511c2", + "sha256:764226ceef3125e53ea2cb275000e309c0aa5464d43bd72abd661e27fffc26ab", + "sha256:7645a8e814a3ee34a89c4a372011dcd817964ce8cb273c8ed6119d706e9613e3", + "sha256:76d4711f6f6d08551a7e9ef28c722f4a50dd0fc204c56b4bcd95c6cc05ce6fbb", + "sha256:7f4f399d28478d1f604c2ff9119907af9726aed73680e5ed1ca634d377abb087", + "sha256:88f7bc0fcca81f985f78dd0fa68d2c75abf8272b1f5c323ea4a01a4d7a614efc", + "sha256:8d0edd6b1c7fb94922bf569c9b092ee187a83f03fb1a63076e7774b60f9481a8", + "sha256:901289d524fdd571be1c7be054f48b1f88ce8dddcbdf1ec698b27d4b8b9e5d62", + "sha256:93ea75c050c5bb3d98016b4ba2497851eadf0ac154d88a67d7a6816206f6fa7f", + "sha256:981b9ab5a0a3178ff413bca62526bb784249421c24ad7381e39d67981be2c326", + "sha256:9ac08e601308e41eb533f232dbf6b7e4cea762f9f84f6357136eed926c15d12c", + "sha256:a02eb8ab2b8f200179b5f62b59757685ae9987996ae549ccf30f983f40602431", + "sha256:a0c6da9aee33ff0b1a451e867da0c1f47408112b3391dd43133838339e410963", + "sha256:a6c8097e01886188e5be3e6b14e94ab365f384736aa1fca6a0b9e35bd4a30bc7", + "sha256:aa384489fefeb62321b238e64c07ef48398fe80f9e1e6afeff22e140e0850eef", + "sha256:ad2a9eb6d9839ae241701d0918f54c51365a51407fd80f6b8289e2dfca977cc3", + "sha256:b206646d176a007466358aa21d85cd8600a415c67c9bd15403336c331a10d956", + "sha256:b826d97e4276750beca7c8f0f1a4938892697a6bcd8ec8217b3312dad6982781", + "sha256:b89ac9768b82205936771f8d2eb3ce88503b1556324c9f903e7156669f521472", + "sha256:bd7bd3b3830247580de99c99ea2a01416dfc3c34471ca1298bccabf86d0ff4dc", + "sha256:bdf1847068c362f16b353163391210269e4f0569a3c166bc6a9f74ccbfc7e839", + "sha256:c11b0746f5d946fecf750428a95f3e9ebe792c1ee3b1e96eeba145dc631a9672", + "sha256:c5374b80521d3d3f2ec5572e05adc94601985cc526fb276d0c8574a6d749f1b3", + "sha256:ca265542ca427bf97aed183c1676e2a9c66942e822b14dc6e5f42e038f92a503", + "sha256:ce31ae3e19f3c902de379cf1323d90c649425b86de7bbdf82871b8a2a0615f3d", + "sha256:ceb6ec0a10c65540421e20ebd29083c50e6d1143278746a4ef6bcf6153171eb8", + "sha256:d081f13b095d74b67d550de04df1c756831f3b83dc9881c38985834387487f1b", + "sha256:d5655a942f5f5d2c9ed93d72148226d75369b4f6952680211972a33e59b1dfdc", + "sha256:d5a32087d720c608f42caed0ef36d2b3ea61a9d09ee59a5142d6070da9041b8f", + "sha256:d6484756b12f40003c6128bfcc3fa9f0d49a687e171186c2d85ec82e3758c559", + "sha256:dd65632acaf0d47608190a71bfe46b209719bf2beb59507db08ccdbe712f969b", + "sha256:de343e75f40e972bae1ef6090267f8260c1446a1695e77096db6cfa25e759a95", + "sha256:e29cda763f752553fa14c68fb2195150bfab22b352572cb36c43c47bedba70eb", + "sha256:e41f3de4df3e80de75845d3e743b3f1c4c8613c3997a912dbf0229fc61a8b963", + "sha256:e66d2a64d44d50d2543405fb183a21f76b3b5fd16f130f5c99187c3fb4e64919", + "sha256:e74b0506fa5aa5598ac6a975a12aa8928cbb58e1f5ac8360792ef15de1aa848f", + "sha256:f0ed05f5079c708fe74bf9027e95125334b6978bf07fd5ab923e9e55e5fbb9d3", + "sha256:f61e2dc5ad442c52b4887f1fdc112f97caeff4d9e6ebe78879364ac59f1663e1", + "sha256:fec520865f42e5c7f050c2a79038897b1c7d1595e907a9e08e3353293ffc948e" + ], + "markers": "python_version >= '3.8'", + "version": "==1.4.0" }, "gitdb": { "hashes": [ @@ -2011,19 +2205,20 @@ }, "gitpython": { "hashes": [ - "sha256:5d3802b98a3bae1c2b8ae0e1ff2e4aa16bcdf02c145da34d092324f599f01395", - "sha256:85f7d365d1f6bf677ae51039c1ef67ca59091c7ebd5a3509aa399d4eda02d6dd" + "sha256:5f4c4187de49616d710a77e98ddf17b4782060a1788df441846bddefbb89ab33", + "sha256:f9b9ddc0761c125d5780eab2d64be4873fc6817c2899cbcb34b02344bdc7bc54" ], "index": "pypi", - "version": "==3.1.34" + "markers": "python_version >= '3.7'", + "version": "==3.1.37" }, "identify": { "hashes": [ - "sha256:0aac67d5b4812498056d28a9a512a483f5085cc28640b02b258a59dac34301d4", - "sha256:986dbfb38b1140e763e413e6feb44cd731faf72d1909543178aa79b0e258265d" + "sha256:afe67f26ae29bab007ec21b03d4114f41316ab9dd15aa8736a167481e108da54", + "sha256:f302a4256a15c849b91cfcdcec052a8ce914634b2f77ae87dad29cd749f2d88d" ], - "markers": "python_version >= '3.7'", - "version": "==2.5.24" + "markers": "python_version >= '3.8'", + "version": "==2.5.30" }, "idna": { "hashes": [ @@ -2033,21 +2228,13 @@ "markers": "python_version >= '3.5'", "version": "==3.4" }, - "importlib-metadata": { - "hashes": [ - "sha256:8a8a81bcf996e74fee46f0d16bd3eaa382a7eb20fd82445c3ad11f4090334116", - "sha256:dd0173e8f150d6815e098fd354f6414b0f079af4644ddfe90c71e2fc6174346d" - ], - "index": "pypi", - "version": "==4.13.0" - }, "importlib-resources": { "hashes": [ - "sha256:4be82589bf5c1d7999aedf2a45159d10cb3ca4f19b2271f8792bc8e6da7b22f6", - "sha256:7b1deeebbf351c7578e09bf2f63fa2ce8b5ffec296e0d349139d43cca061a81a" + "sha256:9d48dcccc213325e810fd723e7fbb45ccb39f6cf5c31f00cf2b965f5f10f3cb9", + "sha256:aa50258bbfa56d4e33fbd8aa3ef48ded10d1735f11532b8df95388cc6bdb7e83" ], "markers": "python_version < '3.9'", - "version": "==5.12.0" + "version": "==6.1.0" }, "iniconfig": { "hashes": [ @@ -2059,19 +2246,28 @@ }, "jsonschema": { "hashes": [ - "sha256:0f864437ab8b6076ba6707453ef8f98a6a0d512a80e93f8abdb676f737ecb60d", - "sha256:a870ad254da1a8ca84b6a2905cac29d265f805acc57af304784962a2aa6508f6" + "sha256:cd5f1f9ed9444e554b38ba003af06c0a8c2868131e56bfbef0550fb450c0330e", + "sha256:ec84cc37cfa703ef7cd4928db24f9cb31428a5d0fa77747b8b51a847458e0bbf" ], "index": "pypi", - "version": "==4.17.3" + "markers": "python_version >= '3.8'", + "version": "==4.19.1" + }, + "jsonschema-specifications": { + "hashes": [ + "sha256:05adf340b659828a004220a9613be00fa3f223f2b82002e273dee62fd50524b1", + "sha256:c91a50404e88a1f6ba40636778e2ee08f6e24c5613fe4c53ac24578a5a7f72bb" + ], + "markers": "python_version >= '3.8'", + "version": "==2023.7.1" }, "markdown-it-py": { "hashes": [ - "sha256:5a35f8d1870171d9acc47b99612dc146129b631baf04970128b568f190d0cc30", - "sha256:7c9a5e412688bc771c67432cbfebcdd686c93ce6484913dccf06cb5a0bea35a1" + "sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1", + "sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb" ], - "markers": "python_version >= '3.7'", - "version": "==2.2.0" + "markers": "python_version >= '3.8'", + "version": "==3.0.0" }, "mccabe": { "hashes": [ @@ -2095,6 +2291,7 @@ "sha256:5e96aad5ccda4718e0a229ed94b2024df75cc2d55575ba5762d31f5767b8767d" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==5.1.0" }, "multidict": { @@ -2179,42 +2376,44 @@ }, "mypy": { "hashes": [ - "sha256:01fd2e9f85622d981fd9063bfaef1aed6e336eaacca00892cd2d82801ab7c042", - "sha256:0dde1d180cd84f0624c5dcaaa89c89775550a675aff96b5848de78fb11adabcd", - "sha256:141dedfdbfe8a04142881ff30ce6e6653c9685b354876b12e4fe6c78598b45e2", - "sha256:16f0db5b641ba159eff72cff08edc3875f2b62b2fa2bc24f68c1e7a4e8232d01", - "sha256:190b6bab0302cec4e9e6767d3eb66085aef2a1cc98fe04936d8a42ed2ba77bb7", - "sha256:2460a58faeea905aeb1b9b36f5065f2dc9a9c6e4c992a6499a2360c6c74ceca3", - "sha256:34a9239d5b3502c17f07fd7c0b2ae6b7dd7d7f6af35fbb5072c6208e76295816", - "sha256:43b592511672017f5b1a483527fd2684347fdffc041c9ef53428c8dc530f79a3", - "sha256:43d24f6437925ce50139a310a64b2ab048cb2d3694c84c71c3f2a1626d8101dc", - "sha256:45d32cec14e7b97af848bddd97d85ea4f0db4d5a149ed9676caa4eb2f7402bb4", - "sha256:470c969bb3f9a9efcedbadcd19a74ffb34a25f8e6b0e02dae7c0e71f8372f97b", - "sha256:566e72b0cd6598503e48ea610e0052d1b8168e60a46e0bfd34b3acf2d57f96a8", - "sha256:5703097c4936bbb9e9bce41478c8d08edd2865e177dc4c52be759f81ee4dd26c", - "sha256:7549fbf655e5825d787bbc9ecf6028731973f78088fbca3a1f4145c39ef09462", - "sha256:8207b7105829eca6f3d774f64a904190bb2231de91b8b186d21ffd98005f14a7", - "sha256:8c4d8e89aa7de683e2056a581ce63c46a0c41e31bd2b6d34144e2c80f5ea53dc", - "sha256:98324ec3ecf12296e6422939e54763faedbfcc502ea4a4c38502082711867258", - "sha256:9bbcd9ab8ea1f2e1c8031c21445b511442cc45c89951e49bbf852cbb70755b1b", - "sha256:9d40652cc4fe33871ad3338581dca3297ff5f2213d0df345bcfbde5162abf0c9", - "sha256:a2746d69a8196698146a3dbe29104f9eb6a2a4d8a27878d92169a6c0b74435b6", - "sha256:ae704dcfaa180ff7c4cfbad23e74321a2b774f92ca77fd94ce1049175a21c97f", - "sha256:bfdca17c36ae01a21274a3c387a63aa1aafe72bff976522886869ef131b937f1", - "sha256:c482e1246726616088532b5e964e39765b6d1520791348e6c9dc3af25b233828", - "sha256:ca637024ca67ab24a7fd6f65d280572c3794665eaf5edcc7e90a866544076878", - "sha256:e02d700ec8d9b1859790c0475df4e4092c7bf3272a4fd2c9f33d87fac4427b8f", - "sha256:e5952d2d18b79f7dc25e62e014fe5a23eb1a3d2bc66318df8988a01b1a037c5b" - ], - "index": "pypi", - "version": "==1.4.1" + "sha256:159aa9acb16086b79bbb0016145034a1a05360626046a929f84579ce1666b315", + "sha256:258b22210a4a258ccd077426c7a181d789d1121aca6db73a83f79372f5569ae0", + "sha256:26f71b535dfc158a71264e6dc805a9f8d2e60b67215ca0bfa26e2e1aa4d4d373", + "sha256:26fb32e4d4afa205b24bf645eddfbb36a1e17e995c5c99d6d00edb24b693406a", + "sha256:2fc3a600f749b1008cc75e02b6fb3d4db8dbcca2d733030fe7a3b3502902f161", + "sha256:32cb59609b0534f0bd67faebb6e022fe534bdb0e2ecab4290d683d248be1b275", + "sha256:330857f9507c24de5c5724235e66858f8364a0693894342485e543f5b07c8693", + "sha256:361da43c4f5a96173220eb53340ace68cda81845cd88218f8862dfb0adc8cddb", + "sha256:4a465ea2ca12804d5b34bb056be3a29dc47aea5973b892d0417c6a10a40b2d65", + "sha256:51cb1323064b1099e177098cb939eab2da42fea5d818d40113957ec954fc85f4", + "sha256:57b10c56016adce71fba6bc6e9fd45d8083f74361f629390c556738565af8eeb", + "sha256:596fae69f2bfcb7305808c75c00f81fe2829b6236eadda536f00610ac5ec2243", + "sha256:5d627124700b92b6bbaa99f27cbe615c8ea7b3402960f6372ea7d65faf376c14", + "sha256:6ac9c21bfe7bc9f7f1b6fae441746e6a106e48fc9de530dea29e8cd37a2c0cc4", + "sha256:82cb6193de9bbb3844bab4c7cf80e6227d5225cc7625b068a06d005d861ad5f1", + "sha256:8f772942d372c8cbac575be99f9cc9d9fb3bd95c8bc2de6c01411e2c84ebca8a", + "sha256:9fece120dbb041771a63eb95e4896791386fe287fefb2837258925b8326d6160", + "sha256:a156e6390944c265eb56afa67c74c0636f10283429171018446b732f1a05af25", + "sha256:a9ec1f695f0c25986e6f7f8778e5ce61659063268836a38c951200c57479cc12", + "sha256:abed92d9c8f08643c7d831300b739562b0a6c9fcb028d211134fc9ab20ccad5d", + "sha256:b031b9601f1060bf1281feab89697324726ba0c0bae9d7cd7ab4b690940f0b92", + "sha256:c543214ffdd422623e9fedd0869166c2f16affe4ba37463975043ef7d2ea8770", + "sha256:d28ddc3e3dfeab553e743e532fb95b4e6afad51d4706dd22f28e1e5e664828d2", + "sha256:f33592ddf9655a4894aef22d134de7393e95fcbdc2d15c1ab65828eee5c66c70", + "sha256:f6b0e77db9ff4fda74de7df13f30016a0a663928d669c9f2c057048ba44f09bb", + "sha256:f757063a83970d67c444f6e01d9550a7402322af3557ce7630d3c957386fa8f5", + "sha256:ff0cedc84184115202475bbb46dd99f8dcb87fe24d5d0ddfc0fe6b8575c88d2f" + ], + "index": "pypi", + "markers": "python_version >= '3.8'", + "version": "==1.5.1" }, "mypy-boto3-s3": { "hashes": [ - "sha256:44da375fd4d75b1c5ccc26dcd3be48294c7061445efd6d90ebfca43ffebbb3e4", - "sha256:d0e90074e4043edf420292397012e37309ff204442a0874d8c969f56546be665" + "sha256:11a3db97398973d4ae28489b94c010778a0a5c65f99e00268456c3fea67eca79", + "sha256:b008809f448e74075012d4fc54b0176de0b4f49bc38e39de30ca0e764eb75056" ], - "version": "==1.28.36" + "version": "==1.28.55" }, "mypy-extensions": { "hashes": [ @@ -2238,6 +2437,7 @@ "sha256:a392980d2b6cffa644431898be54b0045151319d1e7ec34f0cfed48767dd334f" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==23.1" }, "parameterized": { @@ -2246,6 +2446,7 @@ "sha256:7fc905272cefa4f364c1a3429cbbe9c0f98b793988efb5bf90aac80f08db09b1" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==0.9.0" }, "pbr": { @@ -2266,43 +2467,44 @@ }, "platformdirs": { "hashes": [ - "sha256:83c8f6d04389165de7c9b6f0c682439697887bca0aa2f1c87ef1826be3584490", - "sha256:e1fea1fe471b9ff8332e229df3cb7de4f53eeea4998d3b6bfff542115e998bd2" + "sha256:cf8ee52a3afdb965072dcc652433e0c7e3e40cf5ea1477cd4b3b1d2eb75495b3", + "sha256:e9d171d00af68be50e9202731309c4e658fd8bc76f55c11c7dd760d023bda68e" ], "markers": "python_version >= '3.7'", - "version": "==2.6.2" + "version": "==3.11.0" }, "pluggy": { "hashes": [ - "sha256:c2fd55a7d7a3863cba1a013e4e2414658b1d07b6bc57b3919e0c63c9abb99849", - "sha256:d12f0c4b579b15f5e054301bb226ee85eeeba08ffec228092f8defbaa3a4c4b3" + "sha256:cf61ae8f126ac6f7c451172cf30e3e43d3ca77615509771b3a984a0730651e12", + "sha256:d89c696a773f8bd377d18e5ecda92b7a3793cbe66c87060a6fb58c7b6e1061f7" ], - "markers": "python_version >= '3.7'", - "version": "==1.2.0" + "markers": "python_version >= '3.8'", + "version": "==1.3.0" }, "pre-commit": { "hashes": [ - "sha256:31ef31af7e474a8d8995027fefdfcf509b5c913ff31f2015b4ec4beb26a6f658", - "sha256:e2f91727039fc39a92f58a588a25b87f936de6567eed4f0e673e0507edc75bad" + "sha256:6bbd5129a64cad4c0dfaeeb12cd8f7ea7e15b77028d985341478c8af3c759522", + "sha256:96d529a951f8b677f730a7212442027e8ba53f9b04d217c4c67dc56c393ad945" ], "index": "pypi", - "version": "==2.21.0" + "markers": "python_version >= '3.8'", + "version": "==3.4.0" }, "pycodestyle": { "hashes": [ - "sha256:2c9607871d58c76354b697b42f5d57e1ada7d261c261efac224b664affdc5785", - "sha256:d1735fc58b418fd7c5f658d28d943854f8a849b01a5d0a1e6f3f3fdd0166804b" + "sha256:259bcc17857d8a8b3b4a2327324b79e5f020a13c16074670f9c8c8f872ea76d0", + "sha256:5d1013ba8dc7895b548be5afb05740ca82454fd899971563d2ef625d090326f8" ], - "markers": "python_version >= '3.6'", - "version": "==2.9.1" + "markers": "python_version >= '3.8'", + "version": "==2.11.0" }, "pyflakes": { "hashes": [ - "sha256:4579f67d887f804e67edb544428f264b7b24f435b263c4614f384135cea553d2", - "sha256:491feb020dca48ccc562a8c0cbe8df07ee13078df59813b83959cbdada312ea3" + "sha256:4132f6d49cb4dae6819e5379898f2b8cce3c5f23994194c24b77d5da2e36f774", + "sha256:a0aae034c444db0071aa077972ba4768d40c830d9539fd45bf4cd3f8f6992efc" ], - "markers": "python_version >= '3.6'", - "version": "==2.5.0" + "markers": "python_version >= '3.8'", + "version": "==3.1.0" }, "pygments": { "hashes": [ @@ -2312,46 +2514,14 @@ "markers": "python_version >= '3.7'", "version": "==2.16.1" }, - "pyrsistent": { - "hashes": [ - "sha256:016ad1afadf318eb7911baa24b049909f7f3bb2c5b1ed7b6a8f21db21ea3faa8", - "sha256:1a2994773706bbb4995c31a97bc94f1418314923bd1048c6d964837040376440", - "sha256:20460ac0ea439a3e79caa1dbd560344b64ed75e85d8703943e0b66c2a6150e4a", - "sha256:3311cb4237a341aa52ab8448c27e3a9931e2ee09561ad150ba94e4cfd3fc888c", - "sha256:3a8cb235fa6d3fd7aae6a4f1429bbb1fec1577d978098da1252f0489937786f3", - "sha256:3ab2204234c0ecd8b9368dbd6a53e83c3d4f3cab10ecaf6d0e772f456c442393", - "sha256:42ac0b2f44607eb92ae88609eda931a4f0dfa03038c44c772e07f43e738bcac9", - "sha256:49c32f216c17148695ca0e02a5c521e28a4ee6c5089f97e34fe24163113722da", - "sha256:4b774f9288dda8d425adb6544e5903f1fb6c273ab3128a355c6b972b7df39dcf", - "sha256:4c18264cb84b5e68e7085a43723f9e4c1fd1d935ab240ce02c0324a8e01ccb64", - "sha256:5a474fb80f5e0d6c9394d8db0fc19e90fa540b82ee52dba7d246a7791712f74a", - "sha256:64220c429e42a7150f4bfd280f6f4bb2850f95956bde93c6fda1b70507af6ef3", - "sha256:878433581fc23e906d947a6814336eee031a00e6defba224234169ae3d3d6a98", - "sha256:99abb85579e2165bd8522f0c0138864da97847875ecbd45f3e7e2af569bfc6f2", - "sha256:a2471f3f8693101975b1ff85ffd19bb7ca7dd7c38f8a81701f67d6b4f97b87d8", - "sha256:aeda827381f5e5d65cced3024126529ddc4289d944f75e090572c77ceb19adbf", - "sha256:b735e538f74ec31378f5a1e3886a26d2ca6351106b4dfde376a26fc32a044edc", - "sha256:c147257a92374fde8498491f53ffa8f4822cd70c0d85037e09028e478cababb7", - "sha256:c4db1bd596fefd66b296a3d5d943c94f4fac5bcd13e99bffe2ba6a759d959a28", - "sha256:c74bed51f9b41c48366a286395c67f4e894374306b197e62810e0fdaf2364da2", - "sha256:c9bb60a40a0ab9aba40a59f68214eed5a29c6274c83b2cc206a359c4a89fa41b", - "sha256:cc5d149f31706762c1f8bda2e8c4f8fead6e80312e3692619a75301d3dbb819a", - "sha256:ccf0d6bd208f8111179f0c26fdf84ed7c3891982f2edaeae7422575f47e66b64", - "sha256:e42296a09e83028b3476f7073fcb69ffebac0e66dbbfd1bd847d61f74db30f19", - "sha256:e8f2b814a3dc6225964fa03d8582c6e0b6650d68a232df41e3cc1b66a5d2f8d1", - "sha256:f0774bf48631f3a20471dd7c5989657b639fd2d285b861237ea9e82c36a415a9", - "sha256:f0e7c4b2f77593871e918be000b96c8107da48444d57005b6a6bc61fb4331b2c" - ], - "markers": "python_version >= '3.7'", - "version": "==0.19.3" - }, "pytest": { "hashes": [ - "sha256:2f2301e797521b23e4d2585a0a3d7b5e50fdddaaf7e7d6773ea26ddb17c213ab", - "sha256:460c9a59b14e27c602eb5ece2e47bec99dc5fc5f6513cf924a7d03a578991b1f" + "sha256:1d881c6124e08ff0a1bb75ba3ec0bfd8b5354a01c194ddd5a0a870a48d99b002", + "sha256:a766259cfab564a2ad52cb1aae1b881a75c3eb7e34ca3779697c23ed47c47069" ], "index": "pypi", - "version": "==7.4.1" + "markers": "python_version >= '3.7'", + "version": "==7.4.2" }, "pytest-asyncio": { "hashes": [ @@ -2359,6 +2529,7 @@ "sha256:8666c1c8ac02631d7c51ba282e0c69a8a452b211ffedf2599099845da5c5c37b" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==0.21.1" }, "pytest-cov": { @@ -2367,6 +2538,7 @@ "sha256:6ba70b9e97e69fcc3fb45bfeab2d0a138fb65c4d0d6a41ef33983ad114be8c3a" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==4.1.0" }, "pytest-mock": { @@ -2375,6 +2547,7 @@ "sha256:7f6b125602ac6d743e523ae0bfa71e1a697a2f5534064528c6ff84c2f7c2fc7f" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==3.11.1" }, "pytest-xdist": { @@ -2383,6 +2556,7 @@ "sha256:ff9daa7793569e6a68544850fd3927cd257cc03a7ef76c95e86915355e82b5f2" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==3.3.1" }, "python-dateutil": { @@ -2447,14 +2621,24 @@ "sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f" ], "index": "pypi", + "markers": "python_version >= '3.6'", "version": "==6.0.1" }, + "referencing": { + "hashes": [ + "sha256:449b6669b6121a9e96a7f9e410b245d471e8d48964c67113ce9afe50c8dd7bdf", + "sha256:794ad8003c65938edcdbc027f1933215e0d0ccc0291e3ce20a4d87432b59efc0" + ], + "markers": "python_version >= '3.8'", + "version": "==0.30.2" + }, "requests": { "hashes": [ "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f", "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==2.31.0" }, "responses": { @@ -2463,23 +2647,127 @@ "sha256:e6fbcf5d82172fecc0aa1860fd91e58cbfd96cee5e96da5b63fa6eb3caa10dd3" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==0.23.3" }, "rich": { "hashes": [ - "sha256:146a90b3b6b47cac4a73c12866a499e9817426423f57c5a66949c086191a8808", - "sha256:fb9d6c0a0f643c99eed3875b5377a184132ba9be4d61516a55273d3554d75a39" + "sha256:2b38e2fe9ca72c9a00170a1a2d20c63c790d0e10ef1fe35eba76e1e7b1d7d245", + "sha256:5c14d22737e6d5084ef4771b62d5d4363165b403455a30a1c8ca39dc7b644bef" ], "markers": "python_full_version >= '3.7.0'", - "version": "==13.5.2" + "version": "==13.6.0" + }, + "rpds-py": { + "hashes": [ + "sha256:015de2ce2af1586ff5dc873e804434185199a15f7d96920ce67e50604592cae9", + "sha256:061c3ff1f51ecec256e916cf71cc01f9975af8fb3af9b94d3c0cc8702cfea637", + "sha256:08a80cf4884920863623a9ee9a285ee04cef57ebedc1cc87b3e3e0f24c8acfe5", + "sha256:09362f86ec201288d5687d1dc476b07bf39c08478cde837cb710b302864e7ec9", + "sha256:0bb4f48bd0dd18eebe826395e6a48b7331291078a879295bae4e5d053be50d4c", + "sha256:106af1653007cc569d5fbb5f08c6648a49fe4de74c2df814e234e282ebc06957", + "sha256:11fdd1192240dda8d6c5d18a06146e9045cb7e3ba7c06de6973000ff035df7c6", + "sha256:16a472300bc6c83fe4c2072cc22b3972f90d718d56f241adabc7ae509f53f154", + "sha256:176287bb998fd1e9846a9b666e240e58f8d3373e3bf87e7642f15af5405187b8", + "sha256:177914f81f66c86c012311f8c7f46887ec375cfcfd2a2f28233a3053ac93a569", + "sha256:177c9dd834cdf4dc39c27436ade6fdf9fe81484758885f2d616d5d03c0a83bd2", + "sha256:187700668c018a7e76e89424b7c1042f317c8df9161f00c0c903c82b0a8cac5c", + "sha256:1d9b5ee46dcb498fa3e46d4dfabcb531e1f2e76b477e0d99ef114f17bbd38453", + "sha256:22da15b902f9f8e267020d1c8bcfc4831ca646fecb60254f7bc71763569f56b1", + "sha256:24cd91a03543a0f8d09cb18d1cb27df80a84b5553d2bd94cba5979ef6af5c6e7", + "sha256:255f1a10ae39b52122cce26ce0781f7a616f502feecce9e616976f6a87992d6b", + "sha256:271c360fdc464fe6a75f13ea0c08ddf71a321f4c55fc20a3fe62ea3ef09df7d9", + "sha256:2ed83d53a8c5902ec48b90b2ac045e28e1698c0bea9441af9409fc844dc79496", + "sha256:2f3e1867dd574014253b4b8f01ba443b9c914e61d45f3674e452a915d6e929a3", + "sha256:35fbd23c1c8732cde7a94abe7fb071ec173c2f58c0bd0d7e5b669fdfc80a2c7b", + "sha256:37d0c59548ae56fae01c14998918d04ee0d5d3277363c10208eef8c4e2b68ed6", + "sha256:39d05e65f23a0fe897b6ac395f2a8d48c56ac0f583f5d663e0afec1da89b95da", + "sha256:3ad59efe24a4d54c2742929001f2d02803aafc15d6d781c21379e3f7f66ec842", + "sha256:3aed39db2f0ace76faa94f465d4234aac72e2f32b009f15da6492a561b3bbebd", + "sha256:3bbac1953c17252f9cc675bb19372444aadf0179b5df575ac4b56faaec9f6294", + "sha256:40bc802a696887b14c002edd43c18082cb7b6f9ee8b838239b03b56574d97f71", + "sha256:42f712b4668831c0cd85e0a5b5a308700fe068e37dcd24c0062904c4e372b093", + "sha256:448a66b8266de0b581246ca7cd6a73b8d98d15100fb7165974535fa3b577340e", + "sha256:485301ee56ce87a51ccb182a4b180d852c5cb2b3cb3a82f7d4714b4141119d8c", + "sha256:485747ee62da83366a44fbba963c5fe017860ad408ccd6cd99aa66ea80d32b2e", + "sha256:4cf0855a842c5b5c391dd32ca273b09e86abf8367572073bd1edfc52bc44446b", + "sha256:4eca20917a06d2fca7628ef3c8b94a8c358f6b43f1a621c9815243462dcccf97", + "sha256:4ed172d0c79f156c1b954e99c03bc2e3033c17efce8dd1a7c781bc4d5793dfac", + "sha256:5267cfda873ad62591b9332fd9472d2409f7cf02a34a9c9cb367e2c0255994bf", + "sha256:52b5cbc0469328e58180021138207e6ec91d7ca2e037d3549cc9e34e2187330a", + "sha256:53d7a3cd46cdc1689296348cb05ffd4f4280035770aee0c8ead3bbd4d6529acc", + "sha256:563646d74a4b4456d0cf3b714ca522e725243c603e8254ad85c3b59b7c0c4bf0", + "sha256:570cc326e78ff23dec7f41487aa9c3dffd02e5ee9ab43a8f6ccc3df8f9327623", + "sha256:5aca759ada6b1967fcfd4336dcf460d02a8a23e6abe06e90ea7881e5c22c4de6", + "sha256:5de11c041486681ce854c814844f4ce3282b6ea1656faae19208ebe09d31c5b8", + "sha256:5e271dd97c7bb8eefda5cca38cd0b0373a1fea50f71e8071376b46968582af9b", + "sha256:642ed0a209ced4be3a46f8cb094f2d76f1f479e2a1ceca6de6346a096cd3409d", + "sha256:6446002739ca29249f0beaaf067fcbc2b5aab4bc7ee8fb941bd194947ce19aff", + "sha256:691d50c99a937709ac4c4cd570d959a006bd6a6d970a484c84cc99543d4a5bbb", + "sha256:69b857a7d8bd4f5d6e0db4086da8c46309a26e8cefdfc778c0c5cc17d4b11e08", + "sha256:6ac3fefb0d168c7c6cab24fdfc80ec62cd2b4dfd9e65b84bdceb1cb01d385c33", + "sha256:6c9141af27a4e5819d74d67d227d5047a20fa3c7d4d9df43037a955b4c748ec5", + "sha256:7170cbde4070dc3c77dec82abf86f3b210633d4f89550fa0ad2d4b549a05572a", + "sha256:763ad59e105fca09705d9f9b29ecffb95ecdc3b0363be3bb56081b2c6de7977a", + "sha256:77076bdc8776a2b029e1e6ffbe6d7056e35f56f5e80d9dc0bad26ad4a024a762", + "sha256:7cd020b1fb41e3ab7716d4d2c3972d4588fdfbab9bfbbb64acc7078eccef8860", + "sha256:821392559d37759caa67d622d0d2994c7a3f2fb29274948ac799d496d92bca73", + "sha256:829e91f3a8574888b73e7a3feb3b1af698e717513597e23136ff4eba0bc8387a", + "sha256:850c272e0e0d1a5c5d73b1b7871b0a7c2446b304cec55ccdb3eaac0d792bb065", + "sha256:87d9b206b1bd7a0523375dc2020a6ce88bca5330682ae2fe25e86fd5d45cea9c", + "sha256:8bd01ff4032abaed03f2db702fa9a61078bee37add0bd884a6190b05e63b028c", + "sha256:8d54bbdf5d56e2c8cf81a1857250f3ea132de77af543d0ba5dce667183b61fec", + "sha256:8efaeb08ede95066da3a3e3c420fcc0a21693fcd0c4396d0585b019613d28515", + "sha256:8f94fdd756ba1f79f988855d948ae0bad9ddf44df296770d9a58c774cfbcca72", + "sha256:95cde244e7195b2c07ec9b73fa4c5026d4a27233451485caa1cd0c1b55f26dbd", + "sha256:975382d9aa90dc59253d6a83a5ca72e07f4ada3ae3d6c0575ced513db322b8ec", + "sha256:9dd9d9d9e898b9d30683bdd2b6c1849449158647d1049a125879cb397ee9cd12", + "sha256:a019a344312d0b1f429c00d49c3be62fa273d4a1094e1b224f403716b6d03be1", + "sha256:a4d9bfda3f84fc563868fe25ca160c8ff0e69bc4443c5647f960d59400ce6557", + "sha256:a657250807b6efd19b28f5922520ae002a54cb43c2401e6f3d0230c352564d25", + "sha256:a771417c9c06c56c9d53d11a5b084d1de75de82978e23c544270ab25e7c066ff", + "sha256:aad6ed9e70ddfb34d849b761fb243be58c735be6a9265b9060d6ddb77751e3e8", + "sha256:ae87137951bb3dc08c7d8bfb8988d8c119f3230731b08a71146e84aaa919a7a9", + "sha256:af247fd4f12cca4129c1b82090244ea5a9d5bb089e9a82feb5a2f7c6a9fe181d", + "sha256:b5d4bdd697195f3876d134101c40c7d06d46c6ab25159ed5cbd44105c715278a", + "sha256:b9255e7165083de7c1d605e818025e8860636348f34a79d84ec533546064f07e", + "sha256:c22211c165166de6683de8136229721f3d5c8606cc2c3d1562da9a3a5058049c", + "sha256:c55f9821f88e8bee4b7a72c82cfb5ecd22b6aad04033334f33c329b29bfa4da0", + "sha256:c7aed97f2e676561416c927b063802c8a6285e9b55e1b83213dfd99a8f4f9e48", + "sha256:cd2163f42868865597d89399a01aa33b7594ce8e2c4a28503127c81a2f17784e", + "sha256:ce5e7504db95b76fc89055c7f41e367eaadef5b1d059e27e1d6eabf2b55ca314", + "sha256:cff7351c251c7546407827b6a37bcef6416304fc54d12d44dbfecbb717064717", + "sha256:d27aa6bbc1f33be920bb7adbb95581452cdf23005d5611b29a12bb6a3468cc95", + "sha256:d3b52a67ac66a3a64a7e710ba629f62d1e26ca0504c29ee8cbd99b97df7079a8", + "sha256:de61e424062173b4f70eec07e12469edde7e17fa180019a2a0d75c13a5c5dc57", + "sha256:e10e6a1ed2b8661201e79dff5531f8ad4cdd83548a0f81c95cf79b3184b20c33", + "sha256:e1a0ffc39f51aa5f5c22114a8f1906b3c17eba68c5babb86c5f77d8b1bba14d1", + "sha256:e22491d25f97199fc3581ad8dd8ce198d8c8fdb8dae80dea3512e1ce6d5fa99f", + "sha256:e626b864725680cd3904414d72e7b0bd81c0e5b2b53a5b30b4273034253bb41f", + "sha256:e8c71ea77536149e36c4c784f6d420ffd20bea041e3ba21ed021cb40ce58e2c9", + "sha256:e8d0f0eca087630d58b8c662085529781fd5dc80f0a54eda42d5c9029f812599", + "sha256:ea65b59882d5fa8c74a23f8960db579e5e341534934f43f3b18ec1839b893e41", + "sha256:ea93163472db26ac6043e8f7f93a05d9b59e0505c760da2a3cd22c7dd7111391", + "sha256:eab75a8569a095f2ad470b342f2751d9902f7944704f0571c8af46bede438475", + "sha256:ed8313809571a5463fd7db43aaca68ecb43ca7a58f5b23b6e6c6c5d02bdc7882", + "sha256:ef5fddfb264e89c435be4adb3953cef5d2936fdeb4463b4161a6ba2f22e7b740", + "sha256:ef750a20de1b65657a1425f77c525b0183eac63fe7b8f5ac0dd16f3668d3e64f", + "sha256:efb9ece97e696bb56e31166a9dd7919f8f0c6b31967b454718c6509f29ef6fee", + "sha256:f4c179a7aeae10ddf44c6bac87938134c1379c49c884529f090f9bf05566c836", + "sha256:f602881d80ee4228a2355c68da6b296a296cd22bbb91e5418d54577bbf17fa7c", + "sha256:fc2200e79d75b5238c8d69f6a30f8284290c777039d331e7340b6c17cad24a5a", + "sha256:fcc1ebb7561a3e24a6588f7c6ded15d80aec22c66a070c757559b57b17ffd1cb" + ], + "markers": "python_version >= '3.8'", + "version": "==0.10.3" }, "setuptools": { "hashes": [ - "sha256:11e52c67415a381d10d6b462ced9cfb97066179f0e871399e006c4ab101fc85f", - "sha256:baf1fdb41c6da4cd2eae722e135500da913332ab3f2f5c7d33af9b492acb5235" + "sha256:4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87", + "sha256:b454a35605876da60632df1a60f736524eb73cc47bbc9f3f1ef1b644de74fd2a" ], - "markers": "python_version >= '3.7'", - "version": "==68.0.0" + "markers": "python_version >= '3.8'", + "version": "==68.2.2" }, "six": { "hashes": [ @@ -2491,19 +2779,19 @@ }, "smmap": { "hashes": [ - "sha256:2aba19d6a040e78d8b09de5c57e96207b09ed71d8e55ce0959eeee6c8e190d94", - "sha256:c840e62059cd3be204b0c9c9f74be2c09d5648eddd4580d9314c3ecde0b30936" + "sha256:dceeb6c0028fdb6734471eb07c0cd2aae706ccaecab45965ee83f11c8d3b1f62", + "sha256:e6d8668fa5f93e706934a62d7b4db19c8d9eb8cf2adbb75ef1b675aa332b69da" ], - "markers": "python_version >= '3.6'", - "version": "==5.0.0" + "markers": "python_version >= '3.7'", + "version": "==5.0.1" }, "stevedore": { "hashes": [ - "sha256:cf99f41fc0d5a4f185ca4d3d42b03be9011b0a1ec1a4ea1a282be1b4b306dcc2", - "sha256:fa2630e3d0ad3e22d4914aff2501445815b9a4467a6edc49387c667a38faf5bf" + "sha256:8cc040628f3cea5d7128f2e76cf486b2251a4e543c7b938f58d9a377f6694a2d", + "sha256:a54534acf9b89bc7ed264807013b505bf07f74dbe4bcfa37d32bd063870b087c" ], - "markers": "python_version >= '3.6'", - "version": "==3.5.2" + "markers": "python_version >= '3.8'", + "version": "==5.1.0" }, "toml": { "hashes": [ @@ -2521,60 +2809,13 @@ "markers": "python_version < '3.11'", "version": "==2.0.1" }, - "typed-ast": { - "hashes": [ - "sha256:042eb665ff6bf020dd2243307d11ed626306b82812aba21836096d229fdc6a10", - "sha256:045f9930a1550d9352464e5149710d56a2aed23a2ffe78946478f7b5416f1ede", - "sha256:0635900d16ae133cab3b26c607586131269f88266954eb04ec31535c9a12ef1e", - "sha256:118c1ce46ce58fda78503eae14b7664163aa735b620b64b5b725453696f2a35c", - "sha256:16f7313e0a08c7de57f2998c85e2a69a642e97cb32f87eb65fbfe88381a5e44d", - "sha256:1efebbbf4604ad1283e963e8915daa240cb4bf5067053cf2f0baadc4d4fb51b8", - "sha256:2188bc33d85951ea4ddad55d2b35598b2709d122c11c75cffd529fbc9965508e", - "sha256:2b946ef8c04f77230489f75b4b5a4a6f24c078be4aed241cfabe9cbf4156e7e5", - "sha256:335f22ccb244da2b5c296e6f96b06ee9bed46526db0de38d2f0e5a6597b81155", - "sha256:381eed9c95484ceef5ced626355fdc0765ab51d8553fec08661dce654a935db4", - "sha256:429ae404f69dc94b9361bb62291885894b7c6fb4640d561179548c849f8492ba", - "sha256:44f214394fc1af23ca6d4e9e744804d890045d1643dd7e8229951e0ef39429b5", - "sha256:48074261a842acf825af1968cd912f6f21357316080ebaca5f19abbb11690c8a", - "sha256:4bc1efe0ce3ffb74784e06460f01a223ac1f6ab31c6bc0376a21184bf5aabe3b", - "sha256:57bfc3cf35a0f2fdf0a88a3044aafaec1d2f24d8ae8cd87c4f58d615fb5b6311", - "sha256:597fc66b4162f959ee6a96b978c0435bd63791e31e4f410622d19f1686d5e769", - "sha256:5f7a8c46a8b333f71abd61d7ab9255440d4a588f34a21f126bbfc95f6049e686", - "sha256:5fe83a9a44c4ce67c796a1b466c270c1272e176603d5e06f6afbc101a572859d", - "sha256:61443214d9b4c660dcf4b5307f15c12cb30bdfe9588ce6158f4a005baeb167b2", - "sha256:622e4a006472b05cf6ef7f9f2636edc51bda670b7bbffa18d26b255269d3d814", - "sha256:6eb936d107e4d474940469e8ec5b380c9b329b5f08b78282d46baeebd3692dc9", - "sha256:7f58fabdde8dcbe764cef5e1a7fcb440f2463c1bbbec1cf2a86ca7bc1f95184b", - "sha256:83509f9324011c9a39faaef0922c6f720f9623afe3fe220b6d0b15638247206b", - "sha256:8c524eb3024edcc04e288db9541fe1f438f82d281e591c548903d5b77ad1ddd4", - "sha256:94282f7a354f36ef5dbce0ef3467ebf6a258e370ab33d5b40c249fa996e590dd", - "sha256:b445c2abfecab89a932b20bd8261488d574591173d07827c1eda32c457358b18", - "sha256:be4919b808efa61101456e87f2d4c75b228f4e52618621c77f1ddcaae15904fa", - "sha256:bfd39a41c0ef6f31684daff53befddae608f9daf6957140228a08e51f312d7e6", - "sha256:c631da9710271cb67b08bd3f3813b7af7f4c69c319b75475436fcab8c3d21bee", - "sha256:cc95ffaaab2be3b25eb938779e43f513e0e538a84dd14a5d844b8f2932593d88", - "sha256:d09d930c2d1d621f717bb217bf1fe2584616febb5138d9b3e8cdd26506c3f6d4", - "sha256:d40c10326893ecab8a80a53039164a224984339b2c32a6baf55ecbd5b1df6431", - "sha256:d41b7a686ce653e06c2609075d397ebd5b969d821b9797d029fccd71fdec8e04", - "sha256:d5c0c112a74c0e5db2c75882a0adf3133adedcdbfd8cf7c9d6ed77365ab90a1d", - "sha256:e1a976ed4cc2d71bb073e1b2a250892a6e968ff02aa14c1f40eba4f365ffec02", - "sha256:e48bf27022897577d8479eaed64701ecaf0467182448bd95759883300ca818c8", - "sha256:ed4a1a42df8a3dfb6b40c3d2de109e935949f2f66b19703eafade03173f8f437", - "sha256:f0aefdd66f1784c58f65b502b6cf8b121544680456d1cebbd300c2c813899274", - "sha256:fc2b8c4e1bc5cd96c1a823a885e6b158f8451cf6f5530e1829390b4d27d0807f", - "sha256:fd946abf3c31fb50eee07451a6aedbfff912fcd13cf357363f5b4e834cc5e71a", - "sha256:fe58ef6a764de7b4b36edfc8592641f56e69b7163bba9f9c8089838ee596bfb2" - ], - "markers": "python_version < '3.8'", - "version": "==1.5.5" - }, "types-awscrt": { "hashes": [ - "sha256:61833aa140e724a9098025610f4b8cde3dcf65b842631d7447378f9f5db4e1fd", - "sha256:68fffeb75396e9e7614cd930b2d52295f680230774750907bcafb56f11514043" + "sha256:477a14565909312fe1de70d0b301548e83c038f436b8a1d7c83729e87cdd0b85", + "sha256:d8c379420ba75b1e43687d12b0b772a5bb17f352859a2bef6aa8f0abde123f55" ], "markers": "python_version >= '3.7' and python_version < '4.0'", - "version": "==0.19.1" + "version": "==0.19.2" }, "types-cachetools": { "hashes": [ @@ -2610,27 +2851,28 @@ }, "types-pyyaml": { "hashes": [ - "sha256:7d340b19ca28cddfdba438ee638cd4084bde213e501a3978738543e27094775b", - "sha256:a461508f3096d1d5810ec5ab95d7eeecb651f3a15b71959999988942063bf01d" + "sha256:334373d392fde0fdf95af5c3f1661885fa10c52167b14593eb856289e1855062", + "sha256:c05bc6c158facb0676674b7f11fe3960db4f389718e19e62bd2b84d6205cfd24" ], "index": "pypi", - "version": "==6.0.12.11" + "version": "==6.0.12.12" }, "types-requests": { "hashes": [ - "sha256:56d181c85b5925cbc59f4489a57e72a8b2166f18273fd8ba7b6fe0c0b986f12a", - "sha256:6aa3f7faf0ea52d728bb18c0a0d1522d9bfd8c72d26ff6f61bfc3d06a411cf40" + "sha256:a2db9cb228a81da8348b49ad6db3f5519452dd20a9c1e1a868c83c5fe88fd1a9", + "sha256:cd74ce3b53c461f1228a9b783929ac73a666658f223e28ed29753771477b3bd0" ], "index": "pypi", - "version": "==2.31.0.2" + "markers": "python_version >= '3.7'", + "version": "==2.31.0.6" }, "types-s3transfer": { "hashes": [ - "sha256:1068877b6e59be5226fa3006ae64371ac9d5bc590dfdbd9c66fd0a075d3254ac", - "sha256:4ba9b483796fdcd026aa162ee03bdcedd2bf7d08e9387c820dcdd158b0102057" + "sha256:aca0f2486d0a3a5037cd5b8f3e20a4522a29579a8dd183281ff0aa1c4e2c8aa7", + "sha256:ae9ed9273465d9f43da8b96307383da410c6b59c3b2464c88d20b578768e97c6" ], "markers": "python_version >= '3.7' and python_version < '4.0'", - "version": "==0.6.2" + "version": "==0.7.0" }, "types-tabulate": { "hashes": [ @@ -2658,19 +2900,21 @@ }, "typing-extensions": { "hashes": [ - "sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36", - "sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2" + "sha256:8f92fc8806f9a6b641eaa5318da32b44d401efaac0f6678c9bc448ba3605faa0", + "sha256:df8e4339e9cb77357558cbdbceca33c303714cf861d1eef15e1070055ae8b7ef" ], "index": "pypi", - "version": "==4.7.1" + "markers": "python_version >= '3.8'", + "version": "==4.8.0" }, "urllib3": { "hashes": [ - "sha256:8d36afa7616d8ab714608411b4a3b13e58f463aee519024578e062e141dce20f", - "sha256:8f135f6502756bde6b2a9b28989df5fbe87c9970cecaa69041edcce7f0589b14" + "sha256:24d6a242c28d29af46c3fae832c36db3bbebcc533dd1bb549172cd739c82df21", + "sha256:94a757d178c9be92ef5539b8840d48dc9cf1b2709c9d6b588232a055c524458b" ], + "index": "pypi", "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", - "version": "==1.26.16" + "version": "==1.26.17" }, "urllib3-mock": { "hashes": [ @@ -2682,11 +2926,11 @@ }, "virtualenv": { "hashes": [ - "sha256:0ef5be6d07181946891f5abc8047fda8bc2f0b4b9bf222c64e6e8963baee76db", - "sha256:635b272a8e2f77cb051946f46c60a54ace3cb5e25568228bd6b57fc70eca9ff3" + "sha256:b80039f280f4919c77b30f1c23294ae357c4c8701042086e3fc005963e4e537b", + "sha256:e8361967f6da6fbdf1426483bfe9fca8287c242ac0bc30429905721cefbff752" ], - "markers": "python_version >= '3.6'", - "version": "==20.16.2" + "markers": "python_version >= '3.7'", + "version": "==20.24.5" }, "yarl": { "hashes": [ @@ -2766,15 +3010,16 @@ "sha256:f7a3d8146575e08c29ed1cd287068e6d02f1c7bdff8970db96683b9591b86ee7" ], "index": "pypi", + "markers": "python_version >= '3.7'", "version": "==1.9.2" }, "zipp": { "hashes": [ - "sha256:112929ad649da941c23de50f356a2b5570c954b65150642bccdd66bf194d224b", - "sha256:48904fc76a60e542af151aded95726c1a5c34ed43ab4134b597665c86d7ad556" + "sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31", + "sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0" ], - "markers": "python_version >= '3.7'", - "version": "==3.15.0" + "markers": "python_version >= '3.8'", + "version": "==3.17.0" } } } diff --git a/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py b/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py new file mode 100644 index 00000000000..6fe3b21019d --- /dev/null +++ b/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py @@ -0,0 +1,28 @@ +from __future__ import annotations + +from typing import Any + +from checkov.arm.base_resource_check import BaseResourceCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class AppServiceUsedAzureFiles(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure that app services use Azure Files" + id = "CKV_AZURE_88" + supported_resources = ("Microsoft.Web/sites/config",) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + properties = conf.get('properties') + if properties and isinstance(properties, dict): + azureStorageAccounts = properties.get("azureStorageAccounts") + if azureStorageAccounts and isinstance(azureStorageAccounts, dict): + for account_data in azureStorageAccounts.values(): + if isinstance(account_data, dict) and account_data.get('type') == "AzureFiles": + return CheckResult.PASSED + return CheckResult.FAILED + + +check = AppServiceUsedAzureFiles() diff --git a/checkov/arm/checks/resource/SQLServerUsesADAuth.py b/checkov/arm/checks/resource/SQLServerUsesADAuth.py new file mode 100644 index 00000000000..3b228e23fc7 --- /dev/null +++ b/checkov/arm/checks/resource/SQLServerUsesADAuth.py @@ -0,0 +1,29 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.consts import ANY_VALUE +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck + + +class SQLServerUsesADAuth(BaseResourceNegativeValueCheck): + def __init__(self) -> None: + """ + I think that this check is really, ensure that only AD auth is used (not user/pass) + """ + + name = "Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)" + id = "CKV2_AZURE_27" + supported_resources = ["Microsoft.Sql/servers"] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return 'properties/administratorLogin' + + def get_forbidden_values(self) -> list[Any]: + return [ANY_VALUE] + + +check = SQLServerUsesADAuth() diff --git a/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py b/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py new file mode 100644 index 00000000000..e1cedfc61e7 --- /dev/null +++ b/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py @@ -0,0 +1,51 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_check import BaseResourceCheck + + +class VMDisablePasswordAuthentication(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure that Virtual machine does not enable password authentication" + id = "CKV_AZURE_149" + supported_resources = ( + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachines", + ) + categories = (CheckCategories.ENCRYPTION,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + os_profile = None + + properties = conf.get("properties") + if properties and isinstance(properties, dict): + if self.entity_type == "Microsoft.Compute/virtualMachines": + tmp_os_profile = properties.get("osProfile") + if tmp_os_profile and isinstance(tmp_os_profile, dict): + os_profile = tmp_os_profile + elif self.entity_type == "Microsoft.Compute/virtualMachineScaleSets": + vm_profile = properties.get("virtualMachineProfile") + if vm_profile and isinstance(vm_profile, dict): + tmp_os_profile = vm_profile.get("osProfile") + if tmp_os_profile and isinstance(tmp_os_profile, dict): + os_profile = tmp_os_profile + + if os_profile is None: + return CheckResult.UNKNOWN + + linux_config = os_profile.get("linuxConfiguration") + if linux_config and isinstance(linux_config, dict): + pass_auth = linux_config.get("disablePasswordAuthentication") + if pass_auth and isinstance(pass_auth, bool): + return CheckResult.PASSED if pass_auth and isinstance(pass_auth, bool) else CheckResult.FAILED + return CheckResult.FAILED + + return CheckResult.UNKNOWN + + return CheckResult.FAILED + + +check = VMDisablePasswordAuthentication() diff --git a/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py b/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py new file mode 100644 index 00000000000..53e35feb4bc --- /dev/null +++ b/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py @@ -0,0 +1,42 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_check import BaseResourceCheck +from checkov.common.util.data_structures_utils import find_in_dict + + +class VMScaleSetsAutoOSImagePatchingEnabled(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets" + id = "CKV_AZURE_95" + supported_resources = ("Microsoft.Compute/virtualMachineScaleSets",) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + properties = conf.get("properties") + if properties and isinstance(properties, dict): + if properties.get("orchestrationMode") == "Flexible": + self.evaluated_keys = ["properties/orchestrationMode"] + return CheckResult.FAILED + + self.evaluated_keys = ["properties/virtualMachineProfile/extensionProfile/extensions"] + extensions = find_in_dict( + input_dict=properties, + key_path="virtualMachineProfile/extensionProfile/extensions", + ) + if extensions: + for extension in extensions: + extension_properties = extension.get("properties") + if extension_properties and isinstance(extension_properties, dict): + if extension_properties.get("enableAutomaticUpgrade") is True: + return CheckResult.PASSED + + return CheckResult.FAILED + + return CheckResult.UNKNOWN + + +check = VMScaleSetsAutoOSImagePatchingEnabled() diff --git a/checkov/arm/graph_builder/graph_components/block_types.py b/checkov/arm/graph_builder/graph_components/block_types.py index ab5a1080f58..bf8022f4e54 100644 --- a/checkov/arm/graph_builder/graph_components/block_types.py +++ b/checkov/arm/graph_builder/graph_components/block_types.py @@ -1,12 +1,11 @@ +from __future__ import annotations + from dataclasses import dataclass -from typing import TYPE_CHECKING +from typing import Literal from checkov.common.graph.graph_builder.graph_components.block_types import BlockType as CommonBlockType -if TYPE_CHECKING: - from typing_extensions import Literal - @dataclass class BlockType(CommonBlockType): - PARAMETER: 'Literal["parameter"]' = "parameter" + PARAMETER: Literal["parameter"] = "parameter" diff --git a/checkov/arm/runner.py b/checkov/arm/runner.py index f6531092b2c..876feff191c 100644 --- a/checkov/arm/runner.py +++ b/checkov/arm/runner.py @@ -18,7 +18,7 @@ from checkov.common.output.record import Record from checkov.common.output.report import Report from checkov.common.bridgecrew.check_type import CheckType -from checkov.common.runners.base_runner import BaseRunner, CHECKOV_CREATE_GRAPH +from checkov.common.runners.base_runner import BaseRunner from checkov.common.util.consts import START_LINE, END_LINE from checkov.common.util.secrets import omit_secret_value_from_checks from checkov.runner_filter import RunnerFilter @@ -80,7 +80,7 @@ def run( for directory in external_checks_dir: arm_resource_registry.load_external_checks(directory) - if CHECKOV_CREATE_GRAPH and self.graph_registry: + if self.graph_registry: self.graph_registry.load_external_checks(directory) if files: @@ -96,7 +96,7 @@ def run( report.add_parsing_errors(parsing_errors) - if CHECKOV_CREATE_GRAPH and self.graph_registry and self.graph_manager: + if self.graph_registry and self.graph_manager: logging.info("Creating ARM graph") local_graph = self.graph_manager.build_graph_from_definitions(definitions=self.definitions) logging.info("Successfully created ARM graph") @@ -109,7 +109,7 @@ def run( self.add_python_check_results(report=report, runner_filter=runner_filter, root_folder=root_folder) # run graph checks - if CHECKOV_CREATE_GRAPH and self.graph_registry: + if self.graph_registry: self.add_graph_check_results(report=report, runner_filter=runner_filter) return report diff --git a/checkov/bicep/graph_builder/graph_components/block_types.py b/checkov/bicep/graph_builder/graph_components/block_types.py index 0894196ca15..95a6b567d8c 100644 --- a/checkov/bicep/graph_builder/graph_components/block_types.py +++ b/checkov/bicep/graph_builder/graph_components/block_types.py @@ -1,6 +1,7 @@ from dataclasses import dataclass +from typing import Literal -from typing_extensions import Literal, TypeAlias +from typing_extensions import TypeAlias # noqa[TC002] from checkov.common.graph.graph_builder.graph_components.block_types import BlockType as CommonBlockType diff --git a/checkov/bicep/graph_builder/local_graph.py b/checkov/bicep/graph_builder/local_graph.py index 0f3f851d2e3..0bf98d1cb13 100644 --- a/checkov/bicep/graph_builder/local_graph.py +++ b/checkov/bicep/graph_builder/local_graph.py @@ -3,10 +3,10 @@ import logging from enum import Enum from pathlib import Path -from typing import Any, TYPE_CHECKING, overload +from typing import Any, TYPE_CHECKING, overload, Literal from pycep.transformer import BicepElement -from typing_extensions import Literal, TypeAlias +from typing_extensions import TypeAlias # noqa[TC002] from checkov.bicep.graph_builder.graph_components.block_types import BlockType from checkov.bicep.graph_builder.graph_components.blocks import BicepBlock diff --git a/checkov/bicep/runner.py b/checkov/bicep/runner.py index 668ff8d5752..78a0c342166 100644 --- a/checkov/bicep/runner.py +++ b/checkov/bicep/runner.py @@ -3,7 +3,7 @@ import os import logging from pathlib import Path -from typing import cast, Type, TYPE_CHECKING, Any +from typing import cast, Type, TYPE_CHECKING, Any, Literal from typing_extensions import TypeAlias # noqa[TC002] @@ -27,7 +27,7 @@ from checkov.common.output.record import Record from checkov.common.output.report import Report from checkov.common.bridgecrew.check_type import CheckType -from checkov.common.runners.base_runner import BaseRunner, CHECKOV_CREATE_GRAPH +from checkov.common.runners.base_runner import BaseRunner from checkov.common.typing import _CheckResult from checkov.common.util.secrets import omit_secret_value_from_checks from checkov.common.util.suppression import collect_suppressions_for_report @@ -40,7 +40,6 @@ from checkov.common.images.image_referencer import Image from networkx import DiGraph from pycep.typing import BicepJson - from typing_extensions import Literal _BicepContext: TypeAlias = "dict[str, dict[str, Any]]" _BicepDefinitions: TypeAlias = "dict[Path, BicepJson]" @@ -106,21 +105,18 @@ def run( if external_checks_dir: for directory in external_checks_dir: resource_registry.load_external_checks(directory) - - if CHECKOV_CREATE_GRAPH: - self.graph_registry.load_external_checks(directory) + self.graph_registry.load_external_checks(directory) self.context = build_definitions_context(definitions=self.definitions, definitions_raw=self.definitions_raw) - if CHECKOV_CREATE_GRAPH: - logging.info("Creating Bicep graph") - local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) - logging.info("Successfully created Bicep graph") + logging.info("Creating Bicep graph") + local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) + logging.info("Successfully created Bicep graph") - self.graph_manager.save_graph(local_graph) - self.definitions, self.breadcrumbs = convert_graph_vertices_to_tf_definitions( - vertices=local_graph.vertices, root_folder=root_folder - ) + self.graph_manager.save_graph(local_graph) + self.definitions, self.breadcrumbs = convert_graph_vertices_to_tf_definitions( + vertices=local_graph.vertices, root_folder=root_folder + ) self.pbar.initiate(len(self.definitions)) @@ -128,8 +124,7 @@ def run( self.add_python_check_results(report=report, runner_filter=runner_filter, root_folder=root_folder) # run graph checks - if CHECKOV_CREATE_GRAPH: - self.add_graph_check_results(report=report, runner_filter=runner_filter) + self.add_graph_check_results(report=report, runner_filter=runner_filter) if runner_filter.run_image_referencer: if files: diff --git a/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py b/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py new file mode 100644 index 00000000000..9f8a459dd0c --- /dev/null +++ b/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py @@ -0,0 +1,33 @@ +from typing import List, Any + +from checkov.cloudformation.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck +from checkov.common.models.enums import CheckCategories + + +class DeprecatedLambdaRuntime(BaseResourceNegativeValueCheck): + def __init__(self): + name = "Ensure Lambda Runtime is not deprecated" + id = "CKV_AWS_363" + supported_resources = ['AWS::Lambda::Function', 'AWS::Serverless::Function'] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "Properties/Runtime" + + def get_forbidden_values(self) -> List[Any]: + return ["dotnetcore3.1", "nodejs12.x", "python3.6", "python2.7", "dotnet5.0", "dotnetcore2.1", "ruby2.5", + "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0", + "nodejs4.3-edge", "nodejs", + # "python3.7", # Uncomment on Nov 27, 2023 + # "nodejs14.x", # Uncomment on Nov 27, 2023 + # "ruby2.7", # Uncomment on Dec 7, 2023 + # "provided", # Uncomment on Dec 31, 2023 + # "go1.x", # Uncomment on Dec 31, 2023 + # "java8", # Uncomment on Dec 31, 2023 + # "nodejs16.x", # Uncomment on Mar 11, 2024 + # "dotnet7", # Uncomment on May 14, 2024 + ] + + +check = DeprecatedLambdaRuntime() diff --git a/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py b/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py new file mode 100644 index 00000000000..b3db3e802e1 --- /dev/null +++ b/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py @@ -0,0 +1,25 @@ +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class DocDBBackupRetention(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure DocDB has an adequate backup retention period" + id = "CKV_AWS_360" + supported_resources = ("AWS::DocDB::DBCluster",) + categories = (CheckCategories.BACKUP_AND_RECOVERY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "Properties/BackupRetentionPeriod" + + def scan_resource_conf(self, conf) -> CheckResult: + properties = conf.get("Properties") + if properties: + backup_retention_period = properties.get("BackupRetentionPeriod", 1) + if backup_retention_period >= 7: + return CheckResult.PASSED + return CheckResult.FAILED + + +check = DocDBBackupRetention() diff --git a/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py b/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py index 4cb2d9be02f..27c00b3162e 100644 --- a/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py +++ b/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py @@ -1,30 +1,36 @@ +from __future__ import annotations + +from typing import Any + +from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck from checkov.common.models.enums import CheckResult, CheckCategories -from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck +from checkov.common.util.data_structures_utils import find_in_dict -class IMDSv1Disabled(BaseResourceCheck): - def __init__(self): +class IMDSv1Disabled(BaseResourceValueCheck): + def __init__(self) -> None: name = "Ensure Instance Metadata Service Version 1 is not enabled" id = "CKV_AWS_79" - supported_resources = ['AWS::EC2::LaunchTemplate'] - categories = [CheckCategories.IAM] + supported_resources = ("AWS::EC2::LaunchTemplate",) + categories = (CheckCategories.IAM,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: # IMDS can be disabled or IMDSv2 can be enabled - if 'Properties' in conf.keys(): - properties = conf['Properties'] - if 'LaunchTemplateData' in properties.keys(): - launch_template_data = properties['LaunchTemplateData'] - if 'MetadataOptions' in launch_template_data.keys(): - metadata_options = launch_template_data['MetadataOptions'] - if 'HttpEndpoint' in metadata_options.keys(): - if metadata_options['HttpEndpoint'] == "disabled": - return CheckResult.PASSED - if 'HttpTokens' in metadata_options.keys(): - if metadata_options['HttpTokens'] == "required": - return CheckResult.PASSED - return CheckResult.FAILED + http_endpoint = find_in_dict( + input_dict=conf, + key_path="Properties/LaunchTemplateData/MetadataOptions/HttpEndpoint", + ) + if http_endpoint == "disabled": + return CheckResult.PASSED + + return super().scan_resource_conf(conf) + + def get_inspected_key(self) -> str: + return "Properties/LaunchTemplateData/MetadataOptions/HttpTokens" + + def get_expected_value(self) -> Any: + return "required" check = IMDSv1Disabled() diff --git a/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py b/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py new file mode 100644 index 00000000000..78d38557da4 --- /dev/null +++ b/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py @@ -0,0 +1,39 @@ +from __future__ import annotations + +from typing import List, Any + +from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class LambdaServicePermission(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount" + id = "CKV_AWS_364" + supported_resources = ("AWS::Lambda::Permission",) + categories = (CheckCategories.IAM,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + properties = conf.get('Properties') + if properties and isinstance(properties, dict): + principal = properties.get('Principal') + if principal and isinstance(principal, str): + principal_parts = principal.split('.') + try: + if principal_parts[1] == 'amazonaws' and principal_parts[2] == 'com': + if properties.get('SourceArn') or properties.get('SourceAccount'): + return CheckResult.PASSED + else: + return CheckResult.FAILED + except IndexError: + print("Not a service principal") + # Not a service principal, so pass. + return CheckResult.UNKNOWN + return CheckResult.UNKNOWN + + def get_evaluated_keys(self) -> List[str]: + return ['Properties/Principal', 'Properties/SourceArn', 'Properties/SourceAccount'] + + +check = LambdaServicePermission() diff --git a/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py b/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py new file mode 100644 index 00000000000..6031f6b241c --- /dev/null +++ b/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py @@ -0,0 +1,28 @@ +from __future__ import annotations + +from typing import Any + +from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck +from checkov.common.models.enums import CheckResult, CheckCategories + + +class NeptuneClusterBackupRetention(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure that Neptune DB cluster has automated backups enabled with adequate retention" + id = "CKV_AWS_361" + supported_resources = ("AWS::Neptune::DBCluster",) + categories = (CheckCategories.BACKUP_AND_RECOVERY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + backup_retention = conf.get("Properties", {}).get("BackupRetentionPeriod", 1) + if backup_retention >= 7: + return CheckResult.PASSED + + return CheckResult.FAILED + + def get_evaluated_keys(self) -> list[str]: + return ["Properties/BackupRetentionPeriod"] + + +check = NeptuneClusterBackupRetention() diff --git a/checkov/cloudformation/graph_builder/variable_rendering/renderer.py b/checkov/cloudformation/graph_builder/variable_rendering/renderer.py index c7781af7905..63db342dd68 100644 --- a/checkov/cloudformation/graph_builder/variable_rendering/renderer.py +++ b/checkov/cloudformation/graph_builder/variable_rendering/renderer.py @@ -1,9 +1,7 @@ from __future__ import annotations import logging -from typing import TYPE_CHECKING, Tuple, List, Any, Dict, Optional, Callable - -from typing_extensions import TypedDict +from typing import TYPE_CHECKING, Tuple, List, Any, Dict, Optional, Callable, TypedDict from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType from checkov.cloudformation.graph_builder.utils import get_referenced_vertices_in_value, find_all_interpolations diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index 957c935105f..918288adf1c 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -28,7 +28,7 @@ from checkov.common.output.graph_record import GraphRecord from checkov.common.output.record import Record from checkov.common.output.report import Report, merge_reports, CheckType -from checkov.common.runners.base_runner import BaseRunner, CHECKOV_CREATE_GRAPH +from checkov.common.runners.base_runner import BaseRunner from checkov.common.util.secrets import omit_secret_value_from_checks from checkov.runner_filter import RunnerFilter @@ -89,25 +89,22 @@ def run( if external_checks_dir: for directory in external_checks_dir: cfn_registry.load_external_checks(directory) - - if CHECKOV_CREATE_GRAPH: - self.graph_registry.load_external_checks(directory) + self.graph_registry.load_external_checks(directory) self.context = build_definitions_context(self.definitions, self.definitions_raw) - if CHECKOV_CREATE_GRAPH: - logging.info("creating CloudFormation graph") - local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) - logging.info("Successfully created CloudFormation graph") - - for vertex in local_graph.vertices: - if vertex.block_type == BlockType.RESOURCE: - report.add_resource(f'{vertex.path}:{vertex.id}') - self.graph_manager.save_graph(local_graph) - self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions( - vertices=local_graph.vertices, - root_folder=root_folder, - ) + logging.info("creating CloudFormation graph") + local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) + logging.info("Successfully created CloudFormation graph") + + for vertex in local_graph.vertices: + if vertex.block_type == BlockType.RESOURCE: + report.add_resource(f'{vertex.path}:{vertex.id}') + self.graph_manager.save_graph(local_graph) + self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions( + vertices=local_graph.vertices, + root_folder=root_folder, + ) # TODO: replace with real graph rendering for cf_file in self.definitions.keys(): @@ -126,9 +123,8 @@ def run( self.check_definitions(root_folder, runner_filter, report) # run graph checks - if CHECKOV_CREATE_GRAPH: - graph_report = self.get_graph_checks_report(root_folder, runner_filter) - merge_reports(report, graph_report) + graph_report = self.get_graph_checks_report(root_folder, runner_filter) + merge_reports(report, graph_report) if runner_filter.run_image_referencer: if files: @@ -191,7 +187,7 @@ def check_definitions(self, root_folder: str | None, runner_filter: RunnerFilter severity=check.severity ) - if CHECKOV_CREATE_GRAPH and self.breadcrumbs: + if self.breadcrumbs: breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(record.resource) if breadcrumb: record = GraphRecord(record, breadcrumb) diff --git a/checkov/common/bridgecrew/integration_features/features/fixes_integration.py b/checkov/common/bridgecrew/integration_features/features/fixes_integration.py index 1a07749f83f..4d033a7af40 100644 --- a/checkov/common/bridgecrew/integration_features/features/fixes_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/fixes_integration.py @@ -6,6 +6,9 @@ from itertools import groupby from typing import TYPE_CHECKING, Any +from urllib3 import PoolManager +from urllib3.exceptions import ProtocolError + from checkov.common.bridgecrew.integration_features.base_integration_feature import BaseIntegrationFeature from checkov.common.bridgecrew.integration_features.features.policy_metadata_integration import integration as metadata_integration from checkov.common.bridgecrew.platform_integration import bc_integration @@ -102,6 +105,7 @@ def _get_fixes_for_file( 'framework': check_type, 'errors': errors } + logging.debug(f'Payload for fixes API: file_path: {filename}, fileContent: {file_contents}, framework: {check_type}, errors: {errors}') headers = merge_dicts( get_default_post_headers(self.bc_integration.bc_source, self.bc_integration.bc_source_version), @@ -111,7 +115,22 @@ def _get_fixes_for_file( if not self.bc_integration.http: raise AttributeError("HTTP manager was not correctly created") - request = self.bc_integration.http.request("POST", self.fixes_url, headers=headers, body=json.dumps(payload)) # type:ignore[no-untyped-call] + try: + logging.debug(f'Calling fixes API with payload: {json.dumps(payload)}, headers: {headers}, url: {self.fixes_url}') + request = self.bc_integration.http.request("POST", self.fixes_url, headers=headers, body=json.dumps(payload)) # type:ignore[no-untyped-call] + + # When running via IDE we can fail here in case of running with -d when the poolManager is broken + except ProtocolError as e: + logging.error(f'Get fixes request for file {filename} failed with response code error: {e}') + if isinstance(self.bc_integration.http, PoolManager): + self.bc_integration.http = None + self.bc_integration.setup_http_manager( + self.bc_integration.ca_certificate, + self.bc_integration.no_cert_verify + ) + request = self.bc_integration.http.request("POST", self.fixes_url, headers=headers, body=json.dumps(payload)) # type:ignore + else: + return None if request.status != 200: error_message = extract_error_message(request) diff --git a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py index ce3ca166513..d36dd6650c5 100644 --- a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py @@ -166,7 +166,8 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo elif type == 'Cves': if 'accountIds' not in suppression: return False - if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']: + if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']\ + and suppression['cves']: repo_name = self.bc_integration.repo_id.replace('\\', '/').split('/')[-1] suppression_path = suppression['cves'][0]['id'].replace('\\', '/') file_abs_path = record.file_abs_path.replace('\\', '/') diff --git a/checkov/common/bridgecrew/platform_integration.py b/checkov/common/bridgecrew/platform_integration.py index 2f85a93680b..6533df4dd55 100644 --- a/checkov/common/bridgecrew/platform_integration.py +++ b/checkov/common/bridgecrew/platform_integration.py @@ -14,7 +14,7 @@ from os import path from pathlib import Path from time import sleep -from typing import List, Dict, TYPE_CHECKING, Any, cast +from typing import List, Dict, TYPE_CHECKING, Any, cast, Optional import boto3 import dpath @@ -33,17 +33,28 @@ from checkov.common.bridgecrew.platform_key import read_key, persist_key, bridgecrew_file from checkov.common.bridgecrew.wrapper import reduce_scan_reports, persist_checks_results, \ enrich_and_persist_checks_metadata, checkov_results_prefix, persist_run_metadata, _put_json_object, \ - persist_logs_stream, persist_graphs + persist_logs_stream, persist_graphs, persist_resource_subgraph_maps from checkov.common.models.consts import SUPPORTED_FILE_EXTENSIONS, SUPPORTED_FILES, SCANNABLE_PACKAGE_FILES from checkov.common.bridgecrew.check_type import CheckType from checkov.common.runners.base_runner import filter_ignored_paths -from checkov.common.typing import _CicdDetails +from checkov.common.typing import _CicdDetails, LibraryGraph from checkov.common.util.consts import PRISMA_PLATFORM, BRIDGECREW_PLATFORM, CHECKOV_RUN_SCA_PACKAGE_SCAN_V2 from checkov.common.util.data_structures_utils import merge_dicts from checkov.common.util.dockerfile import is_dockerfile -from checkov.common.util.http_utils import normalize_prisma_url, get_auth_header, get_default_get_headers, \ - get_user_agent_header, get_default_post_headers, get_prisma_get_headers, get_prisma_auth_header, \ - get_auth_error_message, normalize_bc_url +from checkov.common.util.http_utils import ( + normalize_prisma_url, + get_auth_header, + get_default_get_headers, + get_user_agent_header, + get_default_post_headers, + get_prisma_get_headers, + get_prisma_auth_header, + get_auth_error_message, + normalize_bc_url, + REQUEST_CONNECT_TIMEOUT, + REQUEST_READ_TIMEOUT, + REQUEST_RETRIES, +) from checkov.common.util.type_forcers import convert_prisma_policy_filter_to_dict, convert_str_to_bool from checkov.version import version as checkov_version @@ -55,8 +66,6 @@ from mypy_boto3_s3.client import S3Client from requests import Response from typing_extensions import TypeGuard - from igraph import Graph - from networkx import DiGraph SLEEP_SECONDS = 1 @@ -116,11 +125,16 @@ def __init__(self) -> None: self.use_s3_integration = False self.platform_integration_configured = False self.http: urllib3.PoolManager | urllib3.ProxyManager | None = None + self.http_timeout = urllib3.Timeout(connect=REQUEST_CONNECT_TIMEOUT, read=REQUEST_READ_TIMEOUT) + self.http_retry = urllib3.Retry(REQUEST_RETRIES, redirect=3) self.bc_skip_mapping = False self.cicd_details: _CicdDetails = {} self.support_flag_enabled = False self.enable_persist_graphs = convert_str_to_bool(os.getenv('BC_ENABLE_PERSIST_GRAPHS', 'True')) self.persist_graphs_timeout = int(os.getenv('BC_PERSIST_GRAPHS_TIMEOUT', 60)) + self.ca_certificate: str | None = None + self.no_cert_verify: bool = False + self.on_prem: bool = False def set_bc_api_url(self, new_url: str) -> None: self.bc_api_url = normalize_bc_url(new_url) @@ -206,6 +220,9 @@ def setup_http_manager(self, ca_certificate: str | None = None, no_cert_verify: :param ca_certificate: an optional CA bundle to be used by both libraries. :param no_cert_verify: whether to skip SSL cert verification """ + self.ca_certificate = ca_certificate + self.no_cert_verify = no_cert_verify + ca_certificate = ca_certificate or os.getenv('BC_CA_BUNDLE') cert_reqs: str | None @@ -217,22 +234,39 @@ def setup_http_manager(self, ca_certificate: str | None = None, no_cert_verify: logging.debug(f'Using CA cert {ca_certificate} and cert_reqs {cert_reqs}') try: parsed_url = urllib3.util.parse_url(os.environ['https_proxy']) - self.http = urllib3.ProxyManager(os.environ['https_proxy'], - cert_reqs=cert_reqs, - ca_certs=ca_certificate, - proxy_headers=urllib3.make_headers(proxy_basic_auth=parsed_url.auth)) # type:ignore[no-untyped-call] + self.http = urllib3.ProxyManager( + os.environ['https_proxy'], + cert_reqs=cert_reqs, + ca_certs=ca_certificate, + proxy_headers=urllib3.make_headers(proxy_basic_auth=parsed_url.auth), # type:ignore[no-untyped-call] + timeout=self.http_timeout, + retries=self.http_retry, + ) except KeyError: - self.http = urllib3.PoolManager(cert_reqs=cert_reqs, ca_certs=ca_certificate) + self.http = urllib3.PoolManager( + cert_reqs=cert_reqs, + ca_certs=ca_certificate, + timeout=self.http_timeout, + retries=self.http_retry, + ) else: cert_reqs = 'CERT_NONE' if no_cert_verify else None logging.debug(f'Using cert_reqs {cert_reqs}') try: parsed_url = urllib3.util.parse_url(os.environ['https_proxy']) - self.http = urllib3.ProxyManager(os.environ['https_proxy'], - cert_reqs=cert_reqs, - proxy_headers=urllib3.make_headers(proxy_basic_auth=parsed_url.auth)) # type:ignore[no-untyped-call] + self.http = urllib3.ProxyManager( + os.environ['https_proxy'], + cert_reqs=cert_reqs, + proxy_headers=urllib3.make_headers(proxy_basic_auth=parsed_url.auth), # type:ignore[no-untyped-call] + timeout=self.http_timeout, + retries=self.http_retry, + ) except KeyError: - self.http = urllib3.PoolManager(cert_reqs=cert_reqs) + self.http = urllib3.PoolManager( + cert_reqs=cert_reqs, + timeout=self.http_timeout, + retries=self.http_retry, + ) logging.debug('Successfully set up HTTP manager') def setup_bridgecrew_credentials( @@ -450,9 +484,9 @@ def persist_scan_results(self, scan_reports: list[Report]) -> None: # just process reports with actual results in it self.scan_reports = [scan_report for scan_report in scan_reports if not scan_report.is_empty(full=True)] - reduced_scan_reports = reduce_scan_reports(self.scan_reports) + reduced_scan_reports = reduce_scan_reports(self.scan_reports, self.on_prem) checks_metadata_paths = enrich_and_persist_checks_metadata(self.scan_reports, self.s3_client, self.bucket, - self.repo_path) + self.repo_path, self.on_prem) dpath.merge(reduced_scan_reports, checks_metadata_paths) persist_checks_results(reduced_scan_reports, self.s3_client, self.bucket, self.repo_path) @@ -523,7 +557,7 @@ def persist_logs_stream(self, logs_stream: StringIO) -> None: log_path = f'{self.support_repo_path}/checkov_results' if self.support_repo_path == self.repo_path else self.support_repo_path persist_logs_stream(logs_stream, self.s3_client, self.support_bucket, log_path) - def persist_graphs(self, graphs: dict[str, DiGraph | Graph], absolute_root_folder: str = '') -> None: + def persist_graphs(self, graphs: dict[str, list[tuple[LibraryGraph, Optional[str]]]], absolute_root_folder: str = '') -> None: if not self.use_s3_integration or not self.s3_client: return if not self.bucket or not self.repo_path: @@ -532,6 +566,14 @@ def persist_graphs(self, graphs: dict[str, DiGraph | Graph], absolute_root_folde persist_graphs(graphs, self.s3_client, self.bucket, self.repo_path, self.persist_graphs_timeout, absolute_root_folder=absolute_root_folder) + def persist_resource_subgraph_maps(self, resource_subgraph_maps: dict[str, dict[str, str]]) -> None: + if not self.use_s3_integration or not self.s3_client: + return + if not self.bucket or not self.repo_path: + logging.error(f"Something went wrong: bucket {self.bucket}, repo path {self.repo_path}") + return + persist_resource_subgraph_maps(resource_subgraph_maps, self.s3_client, self.bucket, self.repo_path, self.persist_graphs_timeout) + def commit_repository(self, branch: str) -> str | None: """ :param branch: branch to be persisted @@ -1087,5 +1129,9 @@ def get_sso_prismacloud_url(self, report_url: str) -> str: return report_url + def setup_on_prem(self) -> None: + if self.customer_run_config_response: + self.on_prem = self.customer_run_config_response.get('onPrem', False) + bc_integration = BcPlatformIntegration() diff --git a/checkov/common/bridgecrew/wrapper.py b/checkov/common/bridgecrew/wrapper.py index 17dde199b96..bce5eb7e784 100644 --- a/checkov/common/bridgecrew/wrapper.py +++ b/checkov/common/bridgecrew/wrapper.py @@ -6,11 +6,12 @@ import itertools from concurrent import futures from io import StringIO -from typing import Any, TYPE_CHECKING +from typing import Any, TYPE_CHECKING, Optional from collections import defaultdict import dpath from igraph import Graph +from rustworkx import PyDiGraph, digraph_node_link_json # type: ignore try: from networkx import DiGraph, node_link_data @@ -19,9 +20,10 @@ DiGraph = str node_link_data = lambda G : {} + from checkov.common.bridgecrew.check_type import CheckType from checkov.common.models.consts import SUPPORTED_FILE_EXTENSIONS -from checkov.common.typing import _ReducedScanReport +from checkov.common.typing import _ReducedScanReport, LibraryGraph from checkov.common.util.file_utils import compress_string_io_tar from checkov.common.util.igraph_serialization import serialize_to_json from checkov.common.util.json_utils import CustomJSONEncoder @@ -38,6 +40,10 @@ secrets_check_reduced_keys = check_reduced_keys + ('validation_status',) check_metadata_keys = ('evaluations', 'code_block', 'workflow_name', 'triggers', 'job') +FILE_NAME_NETWORKX = 'graph_networkx.json' +FILE_NAME_IGRAPH = 'graph_igraph.json' +FILE_NAME_RUSTWORKX = 'graph_rustworkx.json' + def _is_scanned_file(file: str) -> bool: file_ending = os.path.splitext(file)[1] @@ -52,18 +58,20 @@ def _put_json_object(s3_client: S3Client, json_obj: Any, bucket: str, object_pat raise -def _extract_checks_metadata(report: Report, full_repo_object_key: str) -> dict[str, dict[str, Any]]: +def _extract_checks_metadata(report: Report, full_repo_object_key: str, on_prem: bool) -> dict[str, dict[str, Any]]: metadata: dict[str, dict[str, Any]] = defaultdict(dict) for check in itertools.chain(report.passed_checks, report.failed_checks, report.skipped_checks): metadata_key = f'{check.file_path}:{check.resource}' check_meta = {k: getattr(check, k, "") for k in check_metadata_keys} check_meta['file_object_path'] = full_repo_object_key + check.file_path + if on_prem: + check_meta['code_block'] = [] metadata[metadata_key][check.check_id] = check_meta return metadata -def reduce_scan_reports(scan_reports: list[Report]) -> dict[str, _ReducedScanReport]: +def reduce_scan_reports(scan_reports: list[Report], on_prem: Optional[bool] = False) -> dict[str, _ReducedScanReport]: """ Transform checkov reports objects into compact dictionaries :param scan_reports: List of checkov output reports @@ -73,6 +81,8 @@ def reduce_scan_reports(scan_reports: list[Report]) -> dict[str, _ReducedScanRep for report in scan_reports: check_type = report.check_type reduced_keys = secrets_check_reduced_keys if check_type == CheckType.SECRETS else check_reduced_keys + if on_prem: + reduced_keys = tuple(k for k in reduced_keys if k != 'code_block') reduced_scan_reports[check_type] = \ { "checks": { @@ -130,7 +140,7 @@ def persist_logs_stream(logs_stream: StringIO, s3_client: S3Client, bucket: str, def enrich_and_persist_checks_metadata( - scan_reports: list[Report], s3_client: S3Client, bucket: str, full_repo_object_key: str + scan_reports: list[Report], s3_client: S3Client, bucket: str, full_repo_object_key: str, on_prem: bool ) -> dict[str, dict[str, str]]: """ Save checks metadata into bridgecrew's platform @@ -139,26 +149,36 @@ def enrich_and_persist_checks_metadata( checks_metadata_paths: dict[str, dict[str, str]] = {} for scan_report in scan_reports: check_type = scan_report.check_type - checks_metadata_object = _extract_checks_metadata(scan_report, full_repo_object_key) + checks_metadata_object = _extract_checks_metadata(scan_report, full_repo_object_key, on_prem) checks_metadata_object_path = f'{full_repo_object_key}/{checkov_results_prefix}/{check_type}/checks_metadata.json' dpath.new(checks_metadata_paths, f"{check_type}/checks_metadata_path", checks_metadata_object_path) _put_json_object(s3_client, checks_metadata_object, bucket, checks_metadata_object_path) return checks_metadata_paths -def persist_graphs(graphs: dict[str, DiGraph | Graph], s3_client: S3Client, bucket: str, full_repo_object_key: str, - timeout: int, absolute_root_folder: str = '') -> None: - def _upload_graph(check_type: str, graph: DiGraph | Graph, _absolute_root_folder: str = '') -> None: +def persist_graphs( + graphs: dict[str, list[tuple[LibraryGraph, Optional[str]]]], + s3_client: S3Client, + bucket: str, + full_repo_object_key: str, + timeout: int, + absolute_root_folder: str = '' +) -> None: + def _upload_graph(check_type: str, graph: LibraryGraph, _absolute_root_folder: str = '', subgraph_path: Optional[str] = None) -> None: if isinstance(graph, DiGraph): json_obj = node_link_data(graph) - graph_file_name = 'graph_networkx.json' + graph_file_name = FILE_NAME_NETWORKX elif isinstance(graph, Graph): json_obj = serialize_to_json(graph, _absolute_root_folder) - graph_file_name = 'graph_igraph.json' + graph_file_name = FILE_NAME_IGRAPH + elif isinstance(graph, PyDiGraph): + json_obj = digraph_node_link_json(graph) + graph_file_name = FILE_NAME_RUSTWORKX else: logging.error(f"unsupported graph type '{graph.__class__.__name__}'") return - s3_key = f'{graphs_repo_object_key}/{check_type}/{graph_file_name}' + multi_graph_addition = (f"multi-graph/{subgraph_path}" if subgraph_path is not None else '').rstrip("/") + s3_key = os.path.join(graphs_repo_object_key, check_type, multi_graph_addition, graph_file_name) try: _put_json_object(s3_client, json_obj, bucket, s3_key) except Exception: @@ -168,9 +188,36 @@ def _upload_graph(check_type: str, graph: DiGraph | Graph, _absolute_root_folder with futures.ThreadPoolExecutor() as executor: futures.wait( - [executor.submit(_upload_graph, check_type, graph, absolute_root_folder) for - check_type, graph in graphs.items()], + [executor.submit(_upload_graph, check_type, graph, absolute_root_folder, subgraph_path) for + check_type, graphs in graphs.items() for graph, subgraph_path in graphs], + return_when=futures.FIRST_EXCEPTION, + timeout=timeout + ) + logging.info(f"Done persisting {len(list(itertools.chain(*graphs.values())))} graphs") + + +def persist_resource_subgraph_maps( + resource_subgraph_maps: dict[str, dict[str, str]], + s3_client: S3Client, + bucket: str, + full_repo_object_key: str, + timeout: int +) -> None: + def _upload_resource_subgraph_map(check_type: str, resource_subgraph_map: dict[str, str]) -> None: + s3_key = os.path.join(graphs_repo_object_key, check_type, "multi-graph/resource_subgraph_maps/resource_subgraph_map.json") + try: + _put_json_object(s3_client, resource_subgraph_map, bucket, s3_key) + except Exception: + logging.error(f'failed to upload resource_subgraph_map from framework {check_type} to platform', exc_info=True) + + # removing '/src' with [:-4] + graphs_repo_object_key = full_repo_object_key.replace('checkov', 'graphs')[:-4] + with futures.ThreadPoolExecutor() as executor: + futures.wait( + [executor.submit(_upload_resource_subgraph_map, check_type, resource_subgraph_map) for + check_type, resource_subgraph_map in resource_subgraph_maps.items()], return_when=futures.FIRST_EXCEPTION, timeout=timeout ) - logging.info(f"Done persisting {len(graphs)} graphs") + if resource_subgraph_maps: + logging.info(f"Done persisting resource_subgraph_maps for frameworks - {', '.join(resource_subgraph_maps.keys())}") diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py b/checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py index 46366133c16..637d24a2718 100644 --- a/checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py +++ b/checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py @@ -8,6 +8,7 @@ from igraph import Graph from bc_jsonpath_ng.ext import parse +from networkx import DiGraph from checkov.common.graph.checks_infra import debug from checkov.common.graph.checks_infra.enums import SolverType @@ -65,8 +66,17 @@ def run(self, graph_connector: LibraryGraph) -> Tuple[List[Dict[str, Any]], List failed_vertices.append(data) return passed_vertices, failed_vertices, unknown_vertices + elif isinstance(graph_connector, DiGraph): + for _, data in graph_connector.nodes(data=True): + if (not self.resource_types or data.get(CustomAttributes.RESOURCE_TYPE) in self.resource_types) \ + and data.get(CustomAttributes.BLOCK_TYPE) in SUPPORTED_BLOCK_TYPES: + jobs.append(executer.submit( + self._process_node, data, passed_vertices, failed_vertices, unknown_vertices)) + + concurrent.futures.wait(jobs) + return passed_vertices, failed_vertices, unknown_vertices - for _, data in graph_connector.nodes(data=True): + for _, data in graph_connector.nodes(): if (not self.resource_types or data.get(CustomAttributes.RESOURCE_TYPE) in self.resource_types) \ and data.get(CustomAttributes.BLOCK_TYPE) in SUPPORTED_BLOCK_TYPES: jobs.append(executer.submit( diff --git a/checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py b/checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py index a98cccbfe8d..92a4e049191 100644 --- a/checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py +++ b/checkov/common/checks_infra/solvers/complex_solvers/base_complex_solver.py @@ -4,6 +4,7 @@ from typing import List, Any, Tuple, Dict, TYPE_CHECKING, Optional from igraph import Graph +from networkx import DiGraph from checkov.common.graph.checks_infra import debug from checkov.common.graph.checks_infra.enums import SolverType @@ -59,8 +60,19 @@ def run(self, graph_connector: LibraryGraph) -> Tuple[List[Dict[str, Any]], List ) return passed_vertices, failed_vertices, unknown_vertices + elif isinstance(graph_connector, DiGraph): + for _, data in graph_connector.nodes(data=True): + if self.resource_type_pred(data, self.resource_types): + result = self.get_operation(data) + if result is None: + unknown_vertices.append(data) + elif result: + passed_vertices.append(data) + else: + failed_vertices.append(data) + return passed_vertices, failed_vertices, unknown_vertices - for _, data in graph_connector.nodes(data=True): + for _, data in graph_connector.nodes(): if self.resource_type_pred(data, self.resource_types): result = self.get_operation(data) if result is None: diff --git a/checkov/common/checks_infra/solvers/connections_solvers/base_connection_solver.py b/checkov/common/checks_infra/solvers/connections_solvers/base_connection_solver.py index 2b43310af98..cd6508a6108 100644 --- a/checkov/common/checks_infra/solvers/connections_solvers/base_connection_solver.py +++ b/checkov/common/checks_infra/solvers/connections_solvers/base_connection_solver.py @@ -4,6 +4,7 @@ from typing import Any, List, Dict, Optional, Tuple, TYPE_CHECKING from igraph import Graph +from networkx import DiGraph from checkov.common.graph.checks_infra.enums import SolverType from checkov.common.graph.checks_infra.solvers.base_solver import BaseSolver @@ -61,7 +62,7 @@ def set_vertices(self, graph_connector: LibraryGraph, exclude_vertices: List[Dic self.vertices_under_connected_resources_types = [ data for data in graph_connector.vs.select(resource_type_in=self.connected_resources_types)["attr"] ] - else: + elif isinstance(graph_connector, DiGraph): self.vertices_under_resource_types = [ v for _, v in graph_connector.nodes(data=True) if self.resource_type_pred(v, self.resource_types) ] @@ -69,6 +70,16 @@ def set_vertices(self, graph_connector: LibraryGraph, exclude_vertices: List[Dic v for _, v in graph_connector.nodes(data=True) if self.resource_type_pred(v, self.connected_resources_types) ] + # isinstance(graph_connector, PyDiGraph): + else: + self.vertices_under_resource_types = [ + v for _, v in graph_connector.nodes() if self.resource_type_pred(v, self.resource_types) + ] + self.vertices_under_connected_resources_types = [ + v for _, v in graph_connector.nodes() if + self.resource_type_pred(v, self.connected_resources_types) + ] + self.excluded_vertices = [ v for v in itertools.chain(self.vertices_under_resource_types, self.vertices_under_connected_resources_types) @@ -92,7 +103,7 @@ def reduce_graph_by_target_types(self, graph_connector: LibraryGraph) -> Library connection_nodes = { vertex for vertex in graph_connector.vs.select(block_type__in=BaseConnectionSolver.SUPPORTED_CONNECTION_BLOCK_TYPES) } - else: + elif isinstance(graph_connector, DiGraph): resource_nodes = { node for node, resource_type in graph_connector.nodes(data=CustomAttributes.RESOURCE_TYPE) @@ -106,9 +117,24 @@ def reduce_graph_by_target_types(self, graph_connector: LibraryGraph) -> Library if block_type in BaseConnectionSolver.SUPPORTED_CONNECTION_BLOCK_TYPES } + # isinstance(graph_connector, PyDiGraph): + else: + resource_nodes = { + index + for index, node in graph_connector.nodes() + if self.resource_type_pred(node, list(self.targeted_resources_types)) + } + + # tuple needs to be adjusted, if more connection block types are supported + connection_nodes = { + index + for index, node in graph_connector.nodes() + if node['block_type_'] in BaseConnectionSolver.SUPPORTED_CONNECTION_BLOCK_TYPES + } + resource_nodes.update(connection_nodes) - return graph_connector.subgraph(resource_nodes) + return graph_connector.subgraph(list(resource_nodes)) def populate_checks_results(self, origin_attributes: Dict[str, Any], destination_attributes: Dict[str, Any], passed: List[Dict[str, Any]], failed: List[Dict[str, Any]], unknown: List[Dict[str, Any]]) -> None: if origin_attributes in self.excluded_vertices or destination_attributes in self.excluded_vertices: diff --git a/checkov/common/checks_infra/solvers/connections_solvers/connection_exists_solver.py b/checkov/common/checks_infra/solvers/connections_solvers/connection_exists_solver.py index a0c26a02613..1cafb97a64b 100644 --- a/checkov/common/checks_infra/solvers/connections_solvers/connection_exists_solver.py +++ b/checkov/common/checks_infra/solvers/connections_solvers/connection_exists_solver.py @@ -1,13 +1,16 @@ +from __future__ import annotations + import itertools import logging from typing import List, Optional, Dict, Any, Tuple from igraph import Graph +from rustworkx import PyDiGraph from checkov.common.graph.checks_infra import debug try: - from networkx import edge_dfs + from networkx import edge_dfs, DiGraph except ImportError: logging.info("Not able to import networkx") edge_dfs = lambda G : [] @@ -63,71 +66,13 @@ def _get_operation( return passed, failed, unknown if isinstance(graph_connector, Graph): - - for root_vertex in graph_connector.vs: - inverted = False - origin_attributes = None - destination_attributes_list = [] - for vertex in graph_connector.dfsiter(root_vertex.index): - resource_type = vertex[CustomAttributes.RESOURCE_TYPE] - attributes = vertex["attr"] - if resource_type in self.resource_types and attributes in self.vertices_under_resource_types: - if not origin_attributes: - origin_attributes = attributes - elif inverted: - destination_attributes_list.append(attributes) - elif resource_type in self.connected_resources_types and attributes in self.vertices_under_connected_resources_types: - if not origin_attributes: - origin_attributes = attributes - inverted = True - else: - destination_attributes_list.append(attributes) - - if origin_attributes and destination_attributes_list: - for destination_attributes in destination_attributes_list: - self.populate_checks_results( - origin_attributes=origin_attributes, - destination_attributes=destination_attributes, - passed=passed, - failed=failed, - unknown=unknown, - ) + self.get_igraph_operation(graph_connector=graph_connector, passed=passed, failed=failed, unknown=unknown) + elif isinstance(graph_connector, DiGraph): + self.get_networkx_operation(graph_connector=graph_connector, passed=passed, failed=failed, unknown=unknown) + elif isinstance(graph_connector, PyDiGraph): + self.get_rustworkx_operation(graph_connector=graph_connector, passed=passed, failed=failed, unknown=unknown) else: - for u, v in edge_dfs(graph_connector): - origin_attributes = graph_connector.nodes(data=True)[u] - opposite_vertices = None - if origin_attributes in self.vertices_under_resource_types: - opposite_vertices = self.vertices_under_connected_resources_types - elif origin_attributes in self.vertices_under_connected_resources_types: - opposite_vertices = self.vertices_under_resource_types - if not opposite_vertices: - continue - - destination_attributes = graph_connector.nodes(data=True)[v] - if destination_attributes in opposite_vertices: - self.populate_checks_results( - origin_attributes=origin_attributes, - destination_attributes=destination_attributes, - passed=passed, - failed=failed, - unknown=unknown, - ) - destination_attributes["connected_node"] = origin_attributes - continue - - destination_block_type = destination_attributes.get(CustomAttributes.BLOCK_TYPE) - if destination_block_type == BlockType.OUTPUT: - try: - output_edges = graph_connector.edges(v, data=True) - _, output_destination, _ = next(iter(output_edges)) - output_destination = graph_connector.nodes(data=True)[output_destination] - output_destination_type = output_destination.get(CustomAttributes.RESOURCE_TYPE) - if self.is_associated_edge( - origin_attributes.get(CustomAttributes.RESOURCE_TYPE), output_destination_type - ): - passed.extend([origin_attributes, output_destination]) - except StopIteration: - continue + raise Exception(f"Graph type {type(graph_connector)} not supported") failed.extend( [ @@ -140,3 +85,132 @@ def _get_operation( ) return passed, failed, unknown + + def get_igraph_operation( + self, + graph_connector: Graph, + passed: list[dict[str, Any]], + failed: list[dict[str, Any]], + unknown: list[dict[str, Any]], + ) -> None: + for root_vertex in graph_connector.vs: + inverted = False + origin_attributes = None + destination_attributes_list = [] + for vertex in graph_connector.dfsiter(root_vertex.index): + resource_type = vertex[CustomAttributes.RESOURCE_TYPE] + attributes = vertex["attr"] + if resource_type in self.resource_types and attributes in self.vertices_under_resource_types: + if not origin_attributes: + origin_attributes = attributes + elif inverted: + destination_attributes_list.append(attributes) + elif ( + resource_type in self.connected_resources_types + and attributes in self.vertices_under_connected_resources_types + ): + if not origin_attributes: + origin_attributes = attributes + inverted = True + else: + destination_attributes_list.append(attributes) + + if origin_attributes and destination_attributes_list: + for destination_attributes in destination_attributes_list: + self.populate_checks_results( + origin_attributes=origin_attributes, + destination_attributes=destination_attributes, + passed=passed, + failed=failed, + unknown=unknown, + ) + + def get_networkx_operation( + self, + graph_connector: DiGraph, + passed: list[dict[str, Any]], + failed: list[dict[str, Any]], + unknown: list[dict[str, Any]], + ) -> None: + for u, v in edge_dfs(graph_connector): + origin_attributes = graph_connector.nodes(data=True)[u] + opposite_vertices = None + if origin_attributes in self.vertices_under_resource_types: + opposite_vertices = self.vertices_under_connected_resources_types + elif origin_attributes in self.vertices_under_connected_resources_types: + opposite_vertices = self.vertices_under_resource_types + if not opposite_vertices: + continue + + destination_attributes = graph_connector.nodes(data=True)[v] + if destination_attributes in opposite_vertices: + self.populate_checks_results( + origin_attributes=origin_attributes, + destination_attributes=destination_attributes, + passed=passed, + failed=failed, + unknown=unknown, + ) + destination_attributes["connected_node"] = origin_attributes + continue + if origin_attributes.get(CustomAttributes.BLOCK_TYPE) == BlockType.OUTPUT: + print(1) + destination_block_type = destination_attributes.get(CustomAttributes.BLOCK_TYPE) + if destination_block_type == BlockType.OUTPUT: + try: + output_edges = graph_connector.edges(v, data=True) + _, output_destination, _ = next(iter(output_edges)) + output_destination = graph_connector.nodes(data=True)[output_destination] + output_destination_type = output_destination.get(CustomAttributes.RESOURCE_TYPE) + if self.is_associated_edge( + origin_attributes.get(CustomAttributes.RESOURCE_TYPE), output_destination_type + ): + passed.extend([origin_attributes, output_destination]) + except StopIteration: + continue + + def get_rustworkx_operation( + self, + graph_connector: PyDiGraph[Any, Any], + passed: list[dict[str, Any]], + failed: list[dict[str, Any]], + unknown: list[dict[str, Any]], + ) -> None: + for edge in graph_connector.edge_list(): + u, v = edge + origin_attributes = graph_connector.nodes()[u][1] + opposite_vertices = None + if origin_attributes in self.vertices_under_resource_types: + opposite_vertices = self.vertices_under_connected_resources_types + elif origin_attributes in self.vertices_under_connected_resources_types: + opposite_vertices = self.vertices_under_resource_types + if not opposite_vertices: + continue + + destination_attributes = graph_connector.nodes()[v][1] + if destination_attributes in opposite_vertices: + self.populate_checks_results( + origin_attributes=origin_attributes, + destination_attributes=destination_attributes, + passed=passed, + failed=failed, + unknown=unknown, + ) + destination_attributes["connected_node"] = origin_attributes + continue + + destination_block_type = destination_attributes.get(CustomAttributes.BLOCK_TYPE) + if destination_block_type == BlockType.OUTPUT: + try: + output_edges = graph_connector.adj_direction( + v, False + ) # True means inbound edges and False means outbound edges + output_destination_index = next(iter(output_edges)) + output_destination = graph_connector.nodes()[output_destination_index][1] + output_destination_type = output_destination.get(CustomAttributes.RESOURCE_TYPE) + if self.is_associated_edge( + origin_attributes.get(CustomAttributes.RESOURCE_TYPE), output_destination_type + ): + passed.extend([origin_attributes, output_destination]) + except StopIteration: + continue diff --git a/checkov/common/graph/checks_infra/registry.py b/checkov/common/graph/checks_infra/registry.py index 8fec809f7a7..933f843a7bc 100644 --- a/checkov/common/graph/checks_infra/registry.py +++ b/checkov/common/graph/checks_infra/registry.py @@ -26,6 +26,7 @@ def run_checks( ) -> dict[BaseGraphCheck, list[_CheckResult]]: check_results: "dict[BaseGraphCheck, list[_CheckResult]]" = {} + checks_to_run = [c for c in self.checks if runner_filter.should_run_check(c, report_type=report_type)] with concurrent.futures.ThreadPoolExecutor() as executor: concurrent.futures.wait( diff --git a/checkov/common/graph/db_connectors/rustworkx/__init__.py b/checkov/common/graph/db_connectors/rustworkx/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/checkov/common/graph/db_connectors/rustworkx/rustworkx_db_connector.py b/checkov/common/graph/db_connectors/rustworkx/rustworkx_db_connector.py new file mode 100644 index 00000000000..b2d1168cc96 --- /dev/null +++ b/checkov/common/graph/db_connectors/rustworkx/rustworkx_db_connector.py @@ -0,0 +1,52 @@ +from __future__ import annotations + +from typing import TYPE_CHECKING, TypeVar, Any # noqa + +import rustworkx as rx + +from checkov.common.graph.db_connectors.db_connector import DBConnector + +if TYPE_CHECKING: + from checkov.common.graph.graph_builder.graph_components.blocks import Block # noqa + from checkov.common.graph.graph_builder.local_graph import LocalGraph + +_Block = TypeVar("_Block", bound="Block") + + +class RustworkxConnector(DBConnector["rx.PyDiGraph[Any, Any]"]): + def __init__(self) -> None: + self.graph = rx.PyDiGraph() # type: ignore + + def save_graph(self, local_graph: LocalGraph[_Block], add_bulk_edges: bool = False) -> rx.PyDiGraph: # type: ignore + return self.rustworkx_from_local_graph(local_graph) + + def get_reader_endpoint(self) -> rx.PyDiGraph: # type: ignore + return self.graph + + def get_writer_endpoint(self) -> rx.PyDiGraph: # type: ignore + return self.graph + + def rustworkx_from_local_graph(self, local_graph: LocalGraph[_Block]) -> rx.PyDiGraph: # type: ignore + self.graph = rx.PyDiGraph() + vertices_to_add = [] + for index, vertex in enumerate(local_graph.vertices): + attr = vertex.get_attribute_dict() + vertices_to_add.append((index, attr)) + + edges_to_add = [ + ( + e.origin, + e.dest, + {"label": e.label, "source": e.origin, "target": e.dest}, + ) + for e in local_graph.edges + ] + + self.graph.add_nodes_from(vertices_to_add) + self.graph.add_edges_from(edges_to_add) + + return self.graph + + def disconnect(self) -> None: + # not used, but is an abstractmethod + return None diff --git a/checkov/common/graph/graph_builder/graph_components/block_types.py b/checkov/common/graph/graph_builder/graph_components/block_types.py index 702d3d2b151..c882ade3088 100644 --- a/checkov/common/graph/graph_builder/graph_components/block_types.py +++ b/checkov/common/graph/graph_builder/graph_components/block_types.py @@ -1,10 +1,7 @@ from __future__ import annotations from dataclasses import dataclass -from typing import cast, TYPE_CHECKING - -if TYPE_CHECKING: - from typing_extensions import Literal +from typing import cast, Literal @dataclass diff --git a/checkov/common/images/graph/image_referencer_manager.py b/checkov/common/images/graph/image_referencer_manager.py index 9641d01cb9e..65a08ee382f 100644 --- a/checkov/common/images/graph/image_referencer_manager.py +++ b/checkov/common/images/graph/image_referencer_manager.py @@ -1,19 +1,18 @@ from __future__ import annotations from abc import abstractmethod -from typing import TYPE_CHECKING, Union +from typing import TYPE_CHECKING +from checkov.common.typing import LibraryGraph if TYPE_CHECKING: from checkov.common.images.image_referencer import Image - from networkx import DiGraph - from igraph import Graph class GraphImageReferencerManager: __slots__ = ("graph_connector",) - def __init__(self, graph_connector: Union[Graph, DiGraph]) -> None: + def __init__(self, graph_connector: LibraryGraph) -> None: self.graph_connector = graph_connector @abstractmethod diff --git a/checkov/common/images/graph/image_referencer_provider.py b/checkov/common/images/graph/image_referencer_provider.py index d1f4ad798a2..25d5cb99841 100644 --- a/checkov/common/images/graph/image_referencer_provider.py +++ b/checkov/common/images/graph/image_referencer_provider.py @@ -2,15 +2,18 @@ import itertools import os +import typing from abc import abstractmethod -from typing import TYPE_CHECKING, Callable, Any, Mapping, Union, Generator +from typing import TYPE_CHECKING, Callable, Any, Mapping, Generator from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image +from checkov.common.typing import LibraryGraph if TYPE_CHECKING: import networkx import igraph + import rustworkx from typing_extensions import TypeAlias _ExtractImagesCallableAlias: TypeAlias = Callable[["dict[str, Any]"], "list[str]"] @@ -19,7 +22,7 @@ class GraphImageReferencerProvider: __slots__ = ("graph_connector", "supported_resource_types", "graph_framework") - def __init__(self, graph_connector: Union[igraph.Graph, networkx.DiGraph], + def __init__(self, graph_connector: LibraryGraph, supported_resource_types: dict[str, _ExtractImagesCallableAlias] | Mapping[ str, _ExtractImagesCallableAlias]): self.graph_connector = graph_connector @@ -30,13 +33,17 @@ def __init__(self, graph_connector: Union[igraph.Graph, networkx.DiGraph], def extract_images_from_resources(self) -> list[Image]: pass - def extract_nodes(self) -> networkx.Graph | igraph.Graph | None: + def extract_nodes(self) -> LibraryGraph | None: if self.graph_framework == 'IGRAPH': return self.extract_nodes_igraph() - else: # the default value of the graph framework is 'NETWORKX' + elif self.graph_framework == 'RUSTWORKX': + return self.extract_nodes_rustworkx() + else: return self.extract_nodes_networkx() def extract_nodes_networkx(self) -> networkx.Graph: + if typing.TYPE_CHECKING: + self.graph_connector = typing.cast(networkx.Graph, self.graph_connector) resource_nodes = [ node for node, resource_type in self.graph_connector.nodes(data=CustomAttributes.RESOURCE_TYPE) @@ -45,7 +52,18 @@ def extract_nodes_networkx(self) -> networkx.Graph: return self.graph_connector.subgraph(resource_nodes) + def extract_nodes_rustworkx(self) -> rustworkx.PyDiGraph[Any, Any]: + resource_nodes = [ + index + for index, node in self.graph_connector.nodes() + if self.resource_type_pred(node, list(self.supported_resource_types)) + ] + + return self.graph_connector.subgraph(resource_nodes) + def extract_nodes_igraph(self) -> igraph.Graph: + if typing.TYPE_CHECKING: + self.graph_connector = typing.cast(igraph.Graph, self.graph_connector) resource_nodes = [ node for node, resource_type in itertools.zip_longest(self.graph_connector.vs['name'], @@ -54,12 +72,16 @@ def extract_nodes_igraph(self) -> igraph.Graph: ] return self.graph_connector.subgraph(resource_nodes) - def extract_resource(self, supported_resources_graph: networkx.Graph | igraph.Graph) -> \ + def extract_resource(self, supported_resources_graph: LibraryGraph) -> \ Generator[dict[str, Any], dict[str, Any], dict[str, Any]]: def extract_resource_networkx(graph: networkx.Graph) -> Generator[dict[str, Any], None, None]: for _, resource in graph.nodes(data=True): yield resource + def extract_resource_rustworkx(graph: rustworkx.PyDiGraph[Any, Any]) -> Generator[dict[str, Any], None, None]: + for _, resource in graph.nodes(): + yield resource + def extract_resource_igraph(graph: igraph.Graph) -> Generator[dict[str, Any], None, None]: for v in graph.vs: resource = { @@ -75,5 +97,11 @@ def extract_resource_igraph(graph: igraph.Graph) -> Generator[dict[str, Any], No graph_resource = extract_resource_networkx(supported_resources_graph) elif self.graph_framework == 'IGRAPH': graph_resource = extract_resource_igraph(supported_resources_graph) + elif self.graph_framework == 'RUSTWORKX': + graph_resource = extract_resource_rustworkx(supported_resources_graph) return graph_resource # type: ignore + + @staticmethod + def resource_type_pred(v: dict[str, Any], resource_types: list[str]) -> bool: + return not resource_types or ("resource_type" in v and v["resource_type"] in resource_types) diff --git a/checkov/common/multi_signature.py b/checkov/common/multi_signature.py index 41ec280a805..07d2740a9fc 100644 --- a/checkov/common/multi_signature.py +++ b/checkov/common/multi_signature.py @@ -4,8 +4,7 @@ from abc import ABCMeta from functools import update_wrapper from types import CodeType -from typing import Callable, Any, TypeVar, cast -from typing_extensions import Protocol +from typing import Callable, Any, TypeVar, cast, Protocol _MultiT = TypeVar("_MultiT") diff --git a/checkov/common/output/cyclonedx.py b/checkov/common/output/cyclonedx.py index a90fedefb0e..f414a34adbf 100644 --- a/checkov/common/output/cyclonedx.py +++ b/checkov/common/output/cyclonedx.py @@ -3,11 +3,10 @@ import itertools import logging import os -import sys from datetime import datetime +from importlib.metadata import version as meta_version from pathlib import Path from typing import TYPE_CHECKING, cast, Any -from checkov.common.output.common import format_string_to_licenses, validate_lines from cyclonedx.model import ( XsUri, @@ -33,7 +32,7 @@ from cyclonedx.output import get_instance, OutputFormat from packageurl import PackageURL -from checkov.common.output.common import ImageDetails +from checkov.common.output.common import format_string_to_licenses, validate_lines, ImageDetails from checkov.common.output.report import CheckType from checkov.common.output.cyclonedx_consts import ( SCA_CHECKTYPES, @@ -48,11 +47,6 @@ from checkov.common.output.record import SCA_PACKAGE_SCAN_CHECK_NAME from checkov.common.sca.commons import UNFIXABLE_VERSION, get_fix_version -if sys.version_info >= (3, 8): - from importlib.metadata import version as meta_version -else: - from importlib_metadata import version as meta_version - if TYPE_CHECKING: from checkov.common.output.extra_resource import ExtraResource from checkov.common.output.record import Record @@ -71,7 +65,7 @@ def create_bom(self) -> Bom: bom = Bom() try: - version = meta_version("checkov") # type:ignore[no-untyped-call] + version = meta_version("checkov") except Exception: # Unable to determine current version of 'checkov' version = "UNKNOWN" diff --git a/checkov/common/output/spdx.py b/checkov/common/output/spdx.py index 45dd56f7865..903c2a8de82 100644 --- a/checkov/common/output/spdx.py +++ b/checkov/common/output/spdx.py @@ -4,6 +4,7 @@ import logging from datetime import datetime, timezone from io import StringIO +from typing import TYPE_CHECKING from uuid import uuid4 from license_expression import get_spdx_licensing @@ -19,6 +20,11 @@ from checkov.common.output.report import Report from checkov.version import version +if TYPE_CHECKING: + from boolean import Expression as LicenseExpression + from spdx_tools.spdx.model import SpdxNoAssertion + + DOCUMENT_NAME = "checkov-sbom" SPDXREF = "SPDXRef-" @@ -60,14 +66,16 @@ def get_tag_value_output(self) -> str: def validate_licenses(self, package: Package, license_: str) -> None: if license_ and license_ not in ["Unknown license", "NOT_FOUND", "Unknown"]: split_licenses = license_.split(",") - licenses = [] + licenses: list[LicenseExpression | SpdxNoAssertion | SpdxNone] = [] for lic in split_licenses: lic = lic.strip('"') try: - licenses.append(get_spdx_licensing().parse(lic)) + license_expression = get_spdx_licensing().parse(lic) + if license_expression is not None: + licenses.append(license_expression) except Exception as e: - logging.info(f"error occured when trying to parse the license:{split_licenses} due to error {e}") + logging.info(f"error occurred when trying to parse the license:{split_licenses} due to error {e}") package.license_info_from_files = licenses def create_package(self, check: Record | ExtraResource) -> Package: diff --git a/checkov/common/runners/base_runner.py b/checkov/common/runners/base_runner.py index 65b1d082edf..d8e2b545963 100644 --- a/checkov/common/runners/base_runner.py +++ b/checkov/common/runners/base_runner.py @@ -6,7 +6,7 @@ import re from abc import ABC, abstractmethod from collections.abc import Iterable -from typing import List, Any, TYPE_CHECKING, TypeVar, Generic, Dict +from typing import List, Any, TYPE_CHECKING, TypeVar, Generic, Dict, Optional from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector from checkov.common.graph.graph_builder import CustomAttributes @@ -14,7 +14,6 @@ from checkov.common.graph.checks_infra.base_check import BaseGraphCheck from checkov.common.output.report import Report -from checkov.common.util.type_forcers import convert_str_to_bool from checkov.runner_filter import RunnerFilter from checkov.common.graph.graph_manager import GraphManager # noqa @@ -45,7 +44,6 @@ def strtobool(val: str) -> int: raise ValueError("invalid boolean value %r for environment variable CKV_IGNORE_HIDDEN_DIRECTORIES" % (val,)) -CHECKOV_CREATE_GRAPH = convert_str_to_bool(os.getenv("CHECKOV_CREATE_GRAPH", "True")) IGNORED_DIRECTORIES_ENV = os.getenv("CKV_IGNORED_DIRECTORIES", "node_modules,.terraform,.serverless") IGNORE_HIDDEN_DIRECTORY_ENV = strtobool(os.getenv("CKV_IGNORE_HIDDEN_DIRECTORIES", "True")) @@ -62,18 +60,22 @@ class BaseRunner(ABC, Generic[_Definitions, _Context, _GraphManager]): graph_manager: _GraphManager | None = None graph_registry: Registry | None = None db_connector: LibraryGraphConnector + resource_subgraph_map: Optional[dict[str, str]] = None def __init__(self, file_extensions: Iterable[str] | None = None, file_names: Iterable[str] | None = None): self.file_extensions = file_extensions or [] self.file_names = file_names or [] self.pbar = ProgressBar(self.check_type) - db_connector_class: "type[NetworkxConnector | IgraphConnector]" = IgraphConnector + db_connector_class: "type[NetworkxConnector | IgraphConnector | RustworkxConnector]" = IgraphConnector graph_framework = os.getenv("CHECKOV_GRAPH_FRAMEWORK", "IGRAPH") if graph_framework == "IGRAPH": db_connector_class = IgraphConnector elif graph_framework == "NETWORKX": from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector db_connector_class = NetworkxConnector + elif graph_framework == "RUSTWORKX": + from checkov.common.graph.db_connectors.rustworkx.rustworkx_db_connector import RustworkxConnector + db_connector_class = RustworkxConnector self.db_connector = db_connector_class() diff --git a/checkov/common/runners/object_runner.py b/checkov/common/runners/object_runner.py index 6604942f297..eca4579e188 100644 --- a/checkov/common/runners/object_runner.py +++ b/checkov/common/runners/object_runner.py @@ -7,8 +7,8 @@ from abc import abstractmethod from collections.abc import Iterable from pathlib import Path -from typing import Any, TYPE_CHECKING, Callable -from typing_extensions import TypedDict, TypeAlias +from typing import Any, TYPE_CHECKING, Callable, TypedDict +from typing_extensions import TypeAlias # noqa[TC002] from checkov.common.checks_infra.registry import get_graph_checks_registry from checkov.common.models.enums import CheckResult @@ -18,7 +18,7 @@ from checkov.common.output.record import Record from checkov.common.output.report import Report, CheckType from checkov.common.parallelizer.parallel_runner import parallel_runner -from checkov.common.runners.base_runner import BaseRunner, filter_ignored_paths, CHECKOV_CREATE_GRAPH +from checkov.common.runners.base_runner import BaseRunner, filter_ignored_paths from checkov.common.runners.graph_manager import ObjectGraphManager from checkov.common.typing import _CheckResult from checkov.common.util.consts import START_LINE, END_LINE @@ -121,7 +121,7 @@ def run( for directory in external_checks_dir: registry.load_external_checks(directory) - if CHECKOV_CREATE_GRAPH and self.graph_registry: + if self.graph_registry: self.graph_registry.load_external_checks(directory) if not self.context or not self.definitions: @@ -139,7 +139,7 @@ def run( self.context = self.build_definitions_context(definitions=self.definitions, definitions_raw=self.definitions_raw) - if CHECKOV_CREATE_GRAPH and self.graph_registry and self.graph_manager: + if self.graph_registry and self.graph_manager: logging.info(f"Creating {self.source} graph") local_graph = self.graph_manager.build_graph_from_definitions( definitions=self.definitions, graph_class=self.graph_class # type:ignore[arg-type] # the paths are just `str` @@ -158,7 +158,7 @@ def run( self.add_python_check_results(report=report, registry=registry, runner_filter=runner_filter, root_folder=root_folder) # run graph checks - if CHECKOV_CREATE_GRAPH and self.graph_registry: + if self.graph_registry: self.add_graph_check_results(report=report, runner_filter=runner_filter) return report diff --git a/checkov/common/runners/runner_registry.py b/checkov/common/runners/runner_registry.py index 739e762d7a7..6b3fdc442ee 100644 --- a/checkov/common/runners/runner_registry.py +++ b/checkov/common/runners/runner_registry.py @@ -6,13 +6,13 @@ import logging import os import re +import platform +import sys from collections import defaultdict from collections.abc import Iterable from pathlib import Path -from typing import List, Dict, Any, Optional, cast, TYPE_CHECKING, Type - -from typing_extensions import Literal +from typing import List, Dict, Any, Optional, cast, TYPE_CHECKING, Type, Literal from checkov.common.bridgecrew.code_categories import CodeCategoryMapping, CodeCategoryType from checkov.common.bridgecrew.platform_integration import bc_integration @@ -35,7 +35,7 @@ from checkov.common.output.spdx import SPDX from checkov.common.parallelizer.parallel_runner import parallel_runner from checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger -from checkov.common.typing import _ExitCodeThresholds, _BaseRunner, _ScaExitCodeThresholds +from checkov.common.typing import _ExitCodeThresholds, _BaseRunner, _ScaExitCodeThresholds, LibraryGraph from checkov.common.util import data_structures_utils from checkov.common.util.banner import tool as tool_name from checkov.common.util.data_structures_utils import pickle_deepcopy @@ -51,8 +51,6 @@ from checkov.common.output.baseline import Baseline from checkov.common.runners.base_runner import BaseRunner # noqa from checkov.runner_filter import RunnerFilter - from igraph import Graph - from networkx import DiGraph CONSOLE_OUTPUT = "console" CHECK_BLOCK_TYPES = frozenset(["resource", "data", "provider", "module"]) @@ -95,7 +93,8 @@ def __init__( self._check_type_to_report_map: dict[str, Report] = {} # used for finding reports with the same check type self.licensing_integration = licensing_integration # can be maniuplated by unit tests self.secrets_omitter_class = secrets_omitter_class - self.check_type_to_graph: dict[str, Graph | DiGraph] = {} + self.check_type_to_graph: dict[str, list[tuple[LibraryGraph, Optional[str]]]] = {} + self.check_type_to_resource_subgraph_map: dict[str, dict[str, str]] = {} for runner in runners: if isinstance(runner, image_runner): runner.image_referencers = self.image_referencing_runners @@ -124,7 +123,7 @@ def run( # This is the only runner, so raise a clear indication of failure raise ModuleNotEnabledError(f'The framework "{runner_check_type}" is part of the "{self.licensing_integration.get_subscription_for_runner(runner_check_type).name}" module, which is not enabled in the platform') else: - def _parallel_run(runner: _BaseRunner) -> tuple[Report | list[Report], str | None, DiGraph | Graph | None]: + def _parallel_run(runner: _BaseRunner) -> tuple[Report | list[Report], str | None, Optional[list[tuple[LibraryGraph, Optional[str]]]], Optional[dict[str, str]]]: report = runner.run( root_folder=root_folder, external_checks_dir=external_checks_dir, @@ -138,8 +137,9 @@ def _parallel_run(runner: _BaseRunner) -> tuple[Report | list[Report], str | Non report = Report(check_type=runner.check_type) if runner.graph_manager: - return report, runner.check_type, runner.graph_manager.get_reader_endpoint() - return report, None, None + return report, runner.check_type, self.extract_graphs_from_runner(runner), \ + runner.resource_subgraph_map + return report, None, None, None valid_runners = [] invalid_runners = [] @@ -170,13 +170,18 @@ def _parallel_run(runner: _BaseRunner) -> tuple[Report | list[Report], str | Non group_size=1) reports = [] full_check_type_to_graph = {} + full_check_type_to_resource_subgraph_map = {} for result in parallel_runner_results: if result is not None: - report, check_type, graph = result + report, check_type, graphs, resource_subgraph_map = result reports.append(report) - if check_type is not None and graph is not None: - full_check_type_to_graph[check_type] = graph + if check_type is not None: + if graphs is not None: + full_check_type_to_graph[check_type] = graphs + if resource_subgraph_map is not None: + full_check_type_to_resource_subgraph_map[check_type] = resource_subgraph_map self.check_type_to_graph = full_check_type_to_graph + self.check_type_to_resource_subgraph_map = full_check_type_to_resource_subgraph_map merged_reports = self._merge_reports(reports) if bc_integration.bc_api_key: @@ -190,8 +195,11 @@ def _parallel_run(runner: _BaseRunner) -> tuple[Report | list[Report], str | Non self._handle_report(scan_report, repo_root_for_plan_enrichment) if not self.check_type_to_graph: - self.check_type_to_graph = {runner.check_type: runner.graph_manager.get_reader_endpoint() for runner + self.check_type_to_graph = {runner.check_type: self.extract_graphs_from_runner(runner) for runner in self.runners if runner.graph_manager} + if not self.check_type_to_resource_subgraph_map: + self.check_type_to_resource_subgraph_map = {runner.check_type: runner.resource_subgraph_map for runner in + self.runners if runner.resource_subgraph_map is not None} return self.scan_reports def _merge_reports(self, reports: Iterable[Report | list[Report]]) -> list[Report]: @@ -603,7 +611,10 @@ def _print_to_console(self, output_formats: dict[str, str], output_format: str, if output_dest == CONSOLE_OUTPUT: del output_formats[output_format] - print(output) + if platform.system() == 'Windows': + sys.stdout.buffer.write(output.encode("utf-8")) + else: + print(output) if url: print(f"More details: {url}") @@ -745,3 +756,13 @@ def extract_git_info_from_account_id(account_id: str) -> tuple[str, str]: git_org, git_repository = "", "" return git_org, git_repository + + @staticmethod + def extract_graphs_from_runner(runner: _BaseRunner) -> list[tuple[LibraryGraph, Optional[str]]]: + # exist only for terraform + all_graphs = getattr(runner, 'all_graphs', None) + if all_graphs: + return all_graphs # type:ignore[no-any-return] + elif runner.graph_manager: + return [(runner.graph_manager.get_reader_endpoint(), None)] + return [] diff --git a/checkov/common/sca/reachability/__init__.py b/checkov/common/sca/reachability/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/checkov/common/sca/reachability/abstract_alias_mapping_strategy.py b/checkov/common/sca/reachability/abstract_alias_mapping_strategy.py new file mode 100644 index 00000000000..427da3ccffa --- /dev/null +++ b/checkov/common/sca/reachability/abstract_alias_mapping_strategy.py @@ -0,0 +1,51 @@ +from abc import ABC, abstractmethod +from typing import List, Dict, Set, Callable, Any +import logging +import os + + +class AbstractAliasMappingStrategy(ABC): + @abstractmethod + def get_language(self) -> str: + pass + + @abstractmethod + def get_file_name_to_parser_map(self) -> Dict[str, Callable[[str, Set[str]], Dict[str, Any]]]: + pass + + @staticmethod + def _add_package_aliases(alias_mapping: Dict[str, Any], language: str, repository_name: str, + file_relative_path: str, package_name: str, package_aliases: List[str]) -> None: + package_aliases_for_file = alias_mapping["languages"].setdefault(language, {"repositories": {}})["repositories"] \ + .setdefault(repository_name, {"files": {}})["files"] \ + .setdefault(file_relative_path, {"packageAliases": {}})["packageAliases"] + if package_name in package_aliases_for_file: + raise Exception(f"aliases for \'{package_name}\' in the file \'{file_relative_path}\' in the repository " + f"\'{repository_name}\' already were set") + package_aliases_for_file[package_name] = {"packageAliases": package_aliases} + + def update_alias_mapping(self, alias_mapping: Dict[str, Any], repository_name: str, root_dir: str, relevant_packages: Set[str])\ + -> None: + logging.debug("[AbstractAliasMappingStrategy](create_alias_mapping) - starting") + file_name_to_parser_map = self.get_file_name_to_parser_map() + for curr_root, _, f_names in os.walk(root_dir): + for file_name in f_names: + if file_name in file_name_to_parser_map: + logging.debug(f"[AbstractAliasMappingStrategy](create_alias_mapping) - starting parsing ${file_name}") + file_absolute_path = os.path.join(curr_root, file_name) + file_relative_path = os.path.relpath(file_absolute_path, root_dir) + with open(file_absolute_path) as f: + file_content = f.read() + try: + output = file_name_to_parser_map[file_name](file_content, relevant_packages) + for package_name in output["packageAliases"]: + self._add_package_aliases(alias_mapping, self.get_language(), repository_name, + file_relative_path, package_name, + output["packageAliases"][package_name]["packageAliases"]) + logging.debug( + f"[AbstractAliasMappingStrategy](create_alias_mapping) - done parsing for ${file_name}") + except Exception: + raise + logging.error(f"[AbstractAliasMappingStrategy](create_alias_mapping) - failure when " + f"parsing the file '${file_name}'. file content:\n{file_content}.\n", + exc_info=True) diff --git a/checkov/common/sca/reachability/alias_mapping_creator.py b/checkov/common/sca/reachability/alias_mapping_creator.py new file mode 100644 index 00000000000..bfc6c1a1d5f --- /dev/null +++ b/checkov/common/sca/reachability/alias_mapping_creator.py @@ -0,0 +1,27 @@ +from __future__ import annotations + +from typing import Dict, Set, Any + +from checkov.common.sca.reachability.abstract_alias_mapping_strategy import AbstractAliasMappingStrategy +from checkov.common.sca.reachability.nodejs.nodejs_alias_mapping_strategy import NodejsAliasMappingStrategy + +language_to_strategy: Dict[str, AbstractAliasMappingStrategy] = { + "nodejs": NodejsAliasMappingStrategy() +} + + +class AliasMappingCreator: + def __init__(self) -> None: + self._alias_mapping: Dict[str, Any] = {"languages": {}} + + def update_alias_mapping_for_repository( + self, + repository_name: str, + repository_root_dir: str, + relevant_packages: Set[str] + ) -> None: + for lang in language_to_strategy: + language_to_strategy[lang].update_alias_mapping(self._alias_mapping, repository_name, repository_root_dir, relevant_packages) + + def get_alias_mapping(self) -> Dict[str, Any]: + return self._alias_mapping diff --git a/checkov/common/sca/reachability/nodejs/__init__.py b/checkov/common/sca/reachability/nodejs/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/checkov/common/sca/reachability/nodejs/nodejs_alias_mapping_strategy.py b/checkov/common/sca/reachability/nodejs/nodejs_alias_mapping_strategy.py new file mode 100644 index 00000000000..a7e9e59d427 --- /dev/null +++ b/checkov/common/sca/reachability/nodejs/nodejs_alias_mapping_strategy.py @@ -0,0 +1,24 @@ +from __future__ import annotations + +from typing import Dict, Set, Callable, Any + +from checkov.common.sca.reachability.abstract_alias_mapping_strategy import AbstractAliasMappingStrategy +from checkov.common.sca.reachability.nodejs.utils import parse_webpack_file, parse_tsconfig_file, parse_babel_file, \ + parse_rollup_file, parse_package_json_file, parse_snowpack_file, parse_vite_file + + +class NodejsAliasMappingStrategy(AbstractAliasMappingStrategy): + def get_language(self) -> str: + return "nodejs" + + def get_file_name_to_parser_map(self) -> Dict[str, Callable[[str, Set[str]], Dict[str, Any]]]: + return { + "webpack.config.js": parse_webpack_file, + "tsconfig.json": parse_tsconfig_file, + ".babelrc": parse_babel_file, + "babel.config.js": parse_babel_file, + "rollup.config.js": parse_rollup_file, + "package.json": parse_package_json_file, + "snowpack.config.js": parse_snowpack_file, + "vite.config.js": parse_vite_file + } diff --git a/checkov/common/sca/reachability/nodejs/utils.py b/checkov/common/sca/reachability/nodejs/utils.py new file mode 100644 index 00000000000..2eb3aa44f69 --- /dev/null +++ b/checkov/common/sca/reachability/nodejs/utils.py @@ -0,0 +1,126 @@ +from __future__ import annotations + +import os.path +from typing import Dict, Set, Any +import re +import json +import os + + +MODULE_EXPORTS_PATTERN = r'module\.exports\s*=\s*({.*?});' +EXPORT_DEFAULT_PATTERN = r'export\s*default\s*({.*?});' + + +def _parse_export(file_content: str, pattern: str) -> Dict[str, Any] | None: + module_export_match = re.search(pattern, file_content, re.DOTALL) + + if module_export_match: + module_exports_str = module_export_match.group(1) + # for having for all the keys and values double quotes and removing spaces + module_exports_str = re.sub(r'\s+', '', re.sub(r'([{\s,])(\w+):', r'\1"\2":', module_exports_str) + .replace("'", "\"")) + module_exports: Dict[str, Any] = json.loads(module_exports_str) + return module_exports + return None + + +def parse_webpack_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]: + output: Dict[str, Any] = {"packageAliases": {}} + module_exports_json = _parse_export(file_content, MODULE_EXPORTS_PATTERN) + if module_exports_json: + aliases = module_exports_json.get("resolve", {}).get("alias", {}) + for imported_name in aliases: + package_name = aliases[imported_name] + if package_name in relevant_packages: + output["packageAliases"].setdefault(package_name, {"packageAliases": []})["packageAliases"].append(imported_name) + return output + + +def parse_tsconfig_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]: + output: Dict[str, Any] = {"packageAliases": {}} + tsconfig_json = json.loads(file_content) + paths = tsconfig_json.get("compilerOptions", {}).get("paths", {}) + for imported_name in paths: + for package_relative_path in paths[imported_name]: + package_name = os.path.basename(package_relative_path) + if package_name in relevant_packages: + output["packageAliases"].setdefault(package_name, {"packageAliases": []})["packageAliases"].append(imported_name) + return output + + +def parse_babel_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]: + output: Dict[str, Any] = {"packageAliases": {}} + babelrc_json = json.loads(file_content) + plugins = babelrc_json.get("plugins", {}) + for plugin in plugins: + if len(plugin) > 1: + plugin_object = plugin[1] + aliases = plugin_object.get("alias", {}) + for imported_name in aliases: + package_name = aliases[imported_name] + if package_name in relevant_packages: + output["packageAliases"].setdefault(package_name, {"packageAliases": []})["packageAliases"].append(imported_name) + return output + + +def parse_rollup_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]: + output: Dict[str, Any] = {"packageAliases": {}} + export_default_match = re.search(EXPORT_DEFAULT_PATTERN, file_content, re.DOTALL) + if export_default_match: + export_default_str = export_default_match.group(1) + # for having for all the keys and values doube quotes and removing spaces + export_default_str = re.sub(r'\s+', '', re.sub(r'([{\s,])(\w+):', r'\1"\2":', export_default_str) + .replace("'", "\"")) + + # Defining a regular expression pattern to match the elements within the "plugins" list + pattern = r'alias\(\{[^)]*\}\)' + matches = re.findall(pattern, export_default_str) + + for alias_object_str in matches: + alias_object = json.loads(alias_object_str[6:-1]) # removing 'alias(' and ')' + for entry in alias_object.get("entries", []): + package_name = entry["replacement"] + if entry["replacement"] in relevant_packages: + imported_name = entry["find"] + output["packageAliases"].setdefault(package_name, {"packageAliases": []})["packageAliases"].append(imported_name) + return output + + +def parse_package_json_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]: + output: Dict[str, Any] = {"packageAliases": {}} + package_json = json.loads(file_content) + aliases: Dict[str, str] = dict() + if "alias" in package_json: + aliases.update(package_json["alias"]) + if package_json.get("aliasify", {}).get("aliases"): + aliases.update(package_json["aliasify"]["aliases"]) + for imported_name in aliases: + package_name = aliases[imported_name] + if package_name in relevant_packages: + output["packageAliases"].setdefault(package_name, {"packageAliases": []})["packageAliases"].append(imported_name) + return output + + +def parse_snowpack_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]: + output: Dict[str, Any] = {"packageAliases": {}} + module_exports_json = _parse_export(file_content, MODULE_EXPORTS_PATTERN) + if module_exports_json: + aliases = module_exports_json.get("alias", {}) + for imported_name in aliases: + package_name = aliases[imported_name] + if package_name in relevant_packages: + if package_name in relevant_packages: + output["packageAliases"].setdefault(package_name, {"packageAliases": []})["packageAliases"].append(imported_name) + return output + + +def parse_vite_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]: + output: Dict[str, Any] = {"packageAliases": {}} + export_default_match = _parse_export(file_content, EXPORT_DEFAULT_PATTERN) + if export_default_match: + aliases = export_default_match.get("resolve", {}).get("alias", {}) + for imported_name in aliases: + package_name = aliases[imported_name] + if package_name in relevant_packages: + output["packageAliases"].setdefault(package_name, {"packageAliases": []})["packageAliases"].append(imported_name) + return output diff --git a/checkov/common/typing.py b/checkov/common/typing.py index 7ff8db1b6be..a57367a42b5 100644 --- a/checkov/common/typing.py +++ b/checkov/common/typing.py @@ -1,7 +1,7 @@ from __future__ import annotations -from typing import TYPE_CHECKING, Any, Callable, Dict, TypeVar, Set, Union -from typing_extensions import TypeAlias, TypedDict +from typing import TYPE_CHECKING, Any, Callable, Dict, TypeVar, Set, Union, TypedDict +from typing_extensions import TypeAlias # noqa[TC002] if TYPE_CHECKING: from checkov.common.bridgecrew.severities import Severity @@ -11,6 +11,7 @@ from checkov.common.runners.base_runner import BaseRunner # noqa from networkx import DiGraph from igraph import Graph + from rustworkx import PyDiGraph from checkov.terraform.modules.module_objects import TFDefinitionKey _BaseRunner = TypeVar("_BaseRunner", bound="BaseRunner[Any, Any, Any]") @@ -22,8 +23,8 @@ _Resource: TypeAlias = str _Attributes: TypeAlias = Set[str] ResourceAttributesToOmit: TypeAlias = Dict[_Resource, _Attributes] -LibraryGraph: TypeAlias = "Union[DiGraph, Graph]" -LibraryGraphConnector: TypeAlias = "Union[DBConnector[DiGraph], DBConnector[Graph]]" +LibraryGraph: TypeAlias = "Union[DiGraph, Graph, PyDiGraph]" +LibraryGraphConnector: TypeAlias = "Union[DBConnector[DiGraph], DBConnector[Graph], DBConnector[PyDiGraph]]" # TODO Remove this type and only use TFDefinitionKey TFDefinitionKeyType: TypeAlias = "Union[str, TFDefinitionKey]" diff --git a/checkov/common/util/deep_merge.py b/checkov/common/util/deep_merge.py new file mode 100644 index 00000000000..0a48530bfbd --- /dev/null +++ b/checkov/common/util/deep_merge.py @@ -0,0 +1,122 @@ +"""Original code: https://github.com/halfak/deep_merge""" +from __future__ import annotations + +from typing import Any, TypeVar, Callable, Protocol + +from typing_extensions import TypeAlias # noqa[TC002] + +from checkov.common.util.data_structures_utils import pickle_deepcopy + +_T = TypeVar("_T") +_MergeDict = TypeVar("_MergeDict", bound="dict[Any, Any]") +_OverwriteFunc: TypeAlias = "Callable[..., Any]" + + +class _MergeDictsFunc(Protocol): + def __call__( + self, + d1: _MergeDict, + d2: _MergeDict, + *, + merge_lists: _OverwriteFunc, + merge_ints: _OverwriteFunc, + merge_floats: _OverwriteFunc, + merge_strings: _OverwriteFunc, + merge_other: _OverwriteFunc, + ) -> _MergeDict: + ... + + +def overwrite(v1: _T, v2: _T, **kwargs: Any) -> _T: + """ + Completely overwrites one value with another. + """ + return pickle_deepcopy(v2) + + +def merge_dicts( + d1: _MergeDict, + d2: _MergeDict, + merge_lists: _OverwriteFunc = overwrite, + merge_ints: _OverwriteFunc = overwrite, + merge_floats: _OverwriteFunc = overwrite, + merge_strings: _OverwriteFunc = overwrite, + merge_other: _OverwriteFunc = overwrite, +) -> _MergeDict: + """ + Recursively merges values from d2 into d1. + """ + kwargs = { + "merge_lists": merge_lists, + "merge_ints": merge_ints, + "merge_floats": merge_floats, + "merge_strings": merge_strings, + "merge_other": merge_other, + } + for key in d2: + if key in d1: + if isinstance(d1[key], dict) and isinstance(d2[key], dict): + d1[key] = merge_dicts(d1[key], d2[key], **kwargs) + elif isinstance(d1[key], list) and isinstance(d2[key], list): + d1[key] = merge_lists(d1[key], d2[key], **kwargs) + elif isinstance(d1[key], int) and isinstance(d2[key], int): + d1[key] = merge_ints(d1[key], d2[key], **kwargs) + elif isinstance(d1[key], float) and isinstance(d2[key], float): + d1[key] = merge_ints(d1[key], d2[key], **kwargs) + elif isinstance(d1[key], str) and isinstance(d2[key], str): + d1[key] = merge_strings(d1[key], d2[key], **kwargs) + else: + d1[key] = merge_other(d1[key], d2[key], **kwargs) + else: + d1[key] = overwrite(None, d2[key]) + + return d1 + + +def pickle_deep_merge( + *dicts: _MergeDict, + merge_dicts: _MergeDictsFunc = merge_dicts, + merge_lists: _OverwriteFunc = overwrite, + merge_ints: _OverwriteFunc = overwrite, + merge_floats: _OverwriteFunc = overwrite, + merge_strings: _OverwriteFunc = overwrite, + merge_other: _OverwriteFunc = overwrite, +) -> _MergeDict: + """ + Recursively merges dictionaries and the datastructures they contain. + + :Parameters: + *dicts : `dict` + Dictionaries to be merged. Items that appear last will take higher + precedence when merging. + merge_dicts : `func` + The function to apply when merging dictionaries. + merge_lists : `func` + The function to apply when merging lists. + merge_ints : `func` + The function to apply when merging integers. + merge_floats : `func` + The function to apply when merging floats. + merge_strings : `func` + The function to apply when merging strings. + merge_other : `func` + The function to apply when merging other types or types that do not + match. + """ + for param in dicts: + if not isinstance(param, dict): + raise TypeError("{0} is not a dict".format(param)) + + d = dicts[0] + for d_update in dicts[1:]: + d = merge_dicts( + d, + d_update, + merge_lists=merge_lists, + merge_ints=merge_ints, + merge_floats=merge_floats, + merge_strings=merge_strings, + merge_other=merge_other, + ) + + return d diff --git a/checkov/common/util/env_vars_config.py b/checkov/common/util/env_vars_config.py index 6a3bfca29b9..8bdd3648399 100644 --- a/checkov/common/util/env_vars_config.py +++ b/checkov/common/util/env_vars_config.py @@ -22,7 +22,6 @@ def __init__(self) -> None: self.CHECK_FAIL_LEVEL = os.getenv("CHECKOV_CHECK_FAIL_LEVEL", CheckFailLevel.ERROR) self.CREATE_COMPLEX_VERTICES = convert_str_to_bool(os.getenv("CREATE_COMPLEX_VERTICES", True)) self.CREATE_EDGES = convert_str_to_bool(os.getenv("CREATE_EDGES", True)) - self.CREATE_GRAPH = convert_str_to_bool(os.getenv("CHECKOV_CREATE_GRAPH", True)) self.CREATE_MARKDOWN_HYPERLINKS = convert_str_to_bool(os.getenv("CHECKOV_CREATE_MARKDOWN_HYPERLINKS", False)) self.CREATE_SCA_IMAGE_REPORTS_FOR_IR = convert_str_to_bool( os.getenv("CHECKOV_CREATE_SCA_IMAGE_REPORTS_FOR_IR", True) diff --git a/checkov/common/util/http_utils.py b/checkov/common/util/http_utils.py index f673a857bec..42ceb011dee 100644 --- a/checkov/common/util/http_utils.py +++ b/checkov/common/util/http_utils.py @@ -18,6 +18,7 @@ from checkov.common.util.consts import DEV_API_GET_HEADERS, DEV_API_POST_HEADERS, PRISMA_API_GET_HEADERS, \ PRISMA_PLATFORM, BRIDGECREW_PLATFORM from checkov.common.util.data_structures_utils import merge_dicts +from checkov.common.util.type_forcers import force_int, force_float from checkov.version import version as checkov_version if TYPE_CHECKING: @@ -25,7 +26,12 @@ from requests import Response # https://requests.readthedocs.io/en/latest/user/advanced/#timeouts -DEFAULT_TIMEOUT = (3.1, 30) +REQUEST_CONNECT_TIMEOUT = force_float(os.getenv("CHECKOV_REQUEST_CONNECT_TIMEOUT")) or 3.1 +REQUEST_READ_TIMEOUT = force_int(os.getenv("CHECKOV_REQUEST_READ_TIMEOUT")) or 30 +DEFAULT_TIMEOUT = (REQUEST_CONNECT_TIMEOUT, REQUEST_READ_TIMEOUT) + +# https://urllib3.readthedocs.io/en/stable/user-guide.html#retrying-requests +REQUEST_RETRIES = force_int(os.getenv("CHECKOV_REQUEST_RETRIES")) or 3 logger = logging.getLogger(__name__) add_resource_code_filter_to_logger(logger) @@ -202,16 +208,10 @@ async def aiohttp_client_session_wrapper( request_max_tries = int(os.getenv('REQUEST_MAX_TRIES', 3)) sleep_between_request_tries = float(os.getenv('SLEEP_BETWEEN_REQUEST_TRIES', 1)) - try: # TODO: test again, when Python 3.11 is out - import aiodns # type: ignore[import] # noqa: F401 - resolver: "aiohttp.abc.AbstractResolver" = aiohttp.AsyncResolver() - except ImportError: - resolver = aiohttp.ThreadedResolver() - # adding retry mechanism for avoiding the next repeated unexpected issues: # 1. Gateway Timeout from the server # 2. ClientOSError - async with aiohttp.ClientSession(connector=aiohttp.TCPConnector(resolver=resolver)) as session: + async with aiohttp.ClientSession(connector=aiohttp.TCPConnector(resolver=aiohttp.AsyncResolver())) as session: for i in range(request_max_tries): logging.info( f"[http_utils](aiohttp_client_session_wrapper) reporting attempt {i + 1} out of {request_max_tries}") diff --git a/checkov/common/vcs/base_vcs_dal.py b/checkov/common/vcs/base_vcs_dal.py index 7a098e9f275..94070dd212a 100644 --- a/checkov/common/vcs/base_vcs_dal.py +++ b/checkov/common/vcs/base_vcs_dal.py @@ -10,7 +10,7 @@ import urllib3 from checkov.common.util.data_structures_utils import merge_dicts -from checkov.common.util.http_utils import get_user_agent_header +from checkov.common.util.http_utils import get_user_agent_header, REQUEST_CONNECT_TIMEOUT, REQUEST_READ_TIMEOUT, REQUEST_RETRIES class BaseVCSDAL: @@ -29,6 +29,8 @@ def __init__(self) -> None: self.org_complementary_metadata: dict[str, Any] = {} self.repo_complementary_metadata: dict[str, Any] = {} self.http: urllib3.PoolManager | None = None + self.http_timeout = urllib3.Timeout(connect=REQUEST_CONNECT_TIMEOUT, read=REQUEST_READ_TIMEOUT) + self.http_retry = urllib3.Retry(REQUEST_RETRIES, redirect=3) self.setup_http_manager(ca_certificate=os.getenv('BC_CA_BUNDLE', None)) self.discover() self.setup_conf_dir() @@ -51,18 +53,32 @@ def setup_http_manager(self, ca_certificate: str | None = None) -> None: os.environ['REQUESTS_CA_BUNDLE'] = ca_certificate try: parsed_url = urllib3.util.parse_url(os.environ['https_proxy']) - self.http = urllib3.ProxyManager(os.environ['https_proxy'], cert_reqs='REQUIRED', - ca_certs=ca_certificate, - proxy_headers=urllib3.make_headers(proxy_basic_auth=parsed_url.auth)) # type:ignore[no-untyped-call] + self.http = urllib3.ProxyManager( + os.environ['https_proxy'], + cert_reqs='REQUIRED', + ca_certs=ca_certificate, + proxy_headers=urllib3.make_headers(proxy_basic_auth=parsed_url.auth), # type:ignore[no-untyped-call] + timeout=self.http_timeout, + retries=self.http_retry, + ) except KeyError: - self.http = urllib3.PoolManager(cert_reqs='REQUIRED', ca_certs=ca_certificate) + self.http = urllib3.PoolManager( + cert_reqs='REQUIRED', + ca_certs=ca_certificate, + timeout=self.http_timeout, + retries=self.http_retry, + ) else: try: parsed_url = urllib3.util.parse_url(os.environ['https_proxy']) - self.http = urllib3.ProxyManager(os.environ['https_proxy'], - proxy_headers=urllib3.make_headers(proxy_basic_auth=parsed_url.auth)) # type:ignore[no-untyped-call] + self.http = urllib3.ProxyManager( + os.environ['https_proxy'], + proxy_headers=urllib3.make_headers(proxy_basic_auth=parsed_url.auth), # type:ignore[no-untyped-call] + timeout=self.http_timeout, + retries=self.http_retry, + ) except KeyError: - self.http = urllib3.PoolManager() + self.http = urllib3.PoolManager(timeout=self.http_timeout, retries=self.http_retry) def _request(self, endpoint: str, allowed_status_codes: list[int]) -> dict[str, Any] | None: if allowed_status_codes is None: diff --git a/checkov/dockerfile/runner.py b/checkov/dockerfile/runner.py index b52db37aeb4..e915ac363f8 100644 --- a/checkov/dockerfile/runner.py +++ b/checkov/dockerfile/runner.py @@ -17,7 +17,7 @@ from checkov.common.output.report import Report from checkov.common.output.extra_resource import ExtraResource from checkov.common.bridgecrew.check_type import CheckType -from checkov.common.runners.base_runner import BaseRunner, CHECKOV_CREATE_GRAPH +from checkov.common.runners.base_runner import BaseRunner from checkov.common.util.consts import START_LINE, END_LINE from checkov.common.util.dockerfile import is_dockerfile from checkov.common.typing import _CheckResult @@ -95,7 +95,7 @@ def run( for directory in external_checks_dir: registry.load_external_checks(directory) - if CHECKOV_CREATE_GRAPH and self.graph_registry: + if self.graph_registry: self.graph_registry.load_external_checks(directory) if files: @@ -111,7 +111,7 @@ def run( self.context = build_definitions_context(definitions=self.definitions, definitions_raw=self.definitions_raw) - if CHECKOV_CREATE_GRAPH and self.graph_registry and self.graph_manager: + if self.graph_registry and self.graph_manager: logging.info("Creating Dockerfile graph") local_graph = self.graph_manager.build_graph_from_definitions(definitions=self.definitions) logging.info("Successfully created Dockerfile graph") @@ -124,7 +124,7 @@ def run( self.add_python_check_results(report=report, runner_filter=runner_filter, root_folder=root_folder) # run graph checks - if CHECKOV_CREATE_GRAPH and self.graph_registry: + if self.graph_registry: self.add_graph_check_results(report=report, runner_filter=runner_filter, root_folder=root_folder) if runner_filter.run_image_referencer: diff --git a/checkov/dockerfile/utils.py b/checkov/dockerfile/utils.py index a7745293f3a..24cb50e39d4 100644 --- a/checkov/dockerfile/utils.py +++ b/checkov/dockerfile/utils.py @@ -4,7 +4,7 @@ import os from collections.abc import Iterable from pathlib import Path -from typing import TYPE_CHECKING, Callable, Any +from typing import TYPE_CHECKING, Callable, Any, Literal from dockerfile_parse.constants import COMMENT_INSTRUCTION @@ -15,7 +15,6 @@ if TYPE_CHECKING: from dockerfile_parse.parser import _Instruction # only in extra_stubs - from typing_extensions import Literal DOCKERFILE_STARTLINE: Literal["startline"] = "startline" DOCKERFILE_ENDLINE: Literal["endline"] = "endline" diff --git a/checkov/kubernetes/runner.py b/checkov/kubernetes/runner.py index 7644761031d..9acf4685968 100644 --- a/checkov/kubernetes/runner.py +++ b/checkov/kubernetes/runner.py @@ -16,7 +16,7 @@ from checkov.common.output.record import Record from checkov.common.output.report import Report, merge_reports from checkov.common.bridgecrew.check_type import CheckType -from checkov.common.runners.base_runner import BaseRunner, CHECKOV_CREATE_GRAPH +from checkov.common.runners.base_runner import BaseRunner from checkov.common.util.data_structures_utils import pickle_deepcopy from checkov.kubernetes.checks.resource.registry import registry from checkov.kubernetes.graph_builder.local_graph import KubernetesLocalGraph @@ -102,13 +102,13 @@ def run( for directory in external_checks_dir: registry.load_external_checks(directory) - if CHECKOV_CREATE_GRAPH and self.graph_registry: + if self.graph_registry: self.graph_registry.load_external_checks(directory) self.context = build_definitions_context(self.definitions, self.definitions_raw) self.spread_list_items() - if CHECKOV_CREATE_GRAPH and self.graph_manager: + if self.graph_manager: logging.info("creating Kubernetes graph") local_graph = self.graph_manager.build_graph_from_definitions(pickle_deepcopy(self.definitions)) logging.info("Successfully created Kubernetes graph") @@ -120,7 +120,7 @@ def run( self.pbar.initiate(len(self.definitions)) report = self.check_definitions(root_folder, runner_filter, report, collect_skip_comments=collect_skip_comments) - if CHECKOV_CREATE_GRAPH and self.graph_manager: + if self.graph_manager: graph_report = self.get_graph_checks_report(root_folder, runner_filter) merge_reports(report, graph_report) diff --git a/checkov/main.py b/checkov/main.py index 1b7c392a12a..0c75860db54 100755 --- a/checkov/main.py +++ b/checkov/main.py @@ -12,7 +12,7 @@ import platform from collections import defaultdict from pathlib import Path -from typing import TYPE_CHECKING +from typing import TYPE_CHECKING, Literal, Optional import argcomplete import configargparse @@ -45,6 +45,7 @@ from checkov.common.bridgecrew.check_type import checkov_runners, CheckType from checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger from checkov.common.runners.runner_registry import RunnerRegistry +from checkov.common.typing import LibraryGraph from checkov.common.util import prompt from checkov.common.util.banner import banner as checkov_banner, tool as checkov_tool from checkov.common.util.config_utils import get_default_config_paths @@ -82,9 +83,6 @@ if TYPE_CHECKING: from checkov.common.output.report import Report from configargparse import Namespace - from typing_extensions import Literal - from igraph import Graph - from networkx import DiGraph signal.signal(signal.SIGINT, lambda x, y: sys.exit('')) @@ -131,7 +129,8 @@ def __init__(self, argv: list[str] = sys.argv[1:]) -> None: self.runners = DEFAULT_RUNNERS self.scan_reports: "list[Report]" = [] self.run_metadata: dict[str, str | list[str]] = {} - self.graphs: dict[str, DiGraph | Graph] = {} + self.graphs: dict[str, list[tuple[LibraryGraph, Optional[str]]]] = {} + self.resource_subgraph_maps: dict[str, dict[str, str]] = {} self.url: str | None = None self.parse_config(argv=argv) @@ -386,7 +385,7 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ logger.error('Please try setting the environment variable LOG_LEVEL=DEBUG and re-running the command, and provide the output to support', exc_info=True) self.exit_run() else: - if self.config.support: + if bc_integration.support_flag_enabled: logger.warning("--bc-api-key argument is required when using --support") logger.debug('No API key found. Scanning locally only.') self.config.include_all_checkov_policies = True @@ -412,6 +411,21 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ '(but note that this will not include any custom platform configurations or policy metadata).', file=sys.stderr) self.exit_run() + bc_integration.setup_on_prem() + if bc_integration.on_prem: + # disable --support for on-premises integrations + if bc_integration.support_flag_enabled: + logger.warning("--support flag is not supported for on-premises integrations") + bc_integration.support_flag_enabled = False + # disable sca_package, sca_image for on-premises integrations + if not outer_registry: + removed_check_types = [] + for runner in list(runner_registry.runners): + if runner.check_type in [CheckType.SCA_IMAGE, CheckType.SCA_PACKAGE]: + removed_check_types.append(runner.check_type) + runner_registry.runners.remove(runner) + if removed_check_types: + logger.warning(f"Following runners won't run as they are not supported for on-premises integrations: {removed_check_types}") bc_integration.get_prisma_build_policies(self.config.policy_metadata_filter) @@ -473,6 +487,7 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ files=file, ) self.graphs = runner_registry.check_type_to_graph + self.resource_subgraph_maps = runner_registry.check_type_to_resource_subgraph_map if runner_registry.is_error_in_reports(self.scan_reports): self.exit_run() if baseline: @@ -530,8 +545,8 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ self.parser.error("--branch argument is required when using --docker-image") return None files = [os.path.abspath(self.config.dockerfile_path)] - runner = sca_image_runner() - result = runner.run( + sca_runner = sca_image_runner() + result = sca_runner.run( root_folder='', image_id=self.config.docker_image, dockerfile_path=self.config.dockerfile_path, @@ -549,13 +564,12 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ if not self.config.skip_results_upload: bc_integration.persist_repository(os.path.dirname(self.config.dockerfile_path), files=files) bc_integration.persist_scan_results(self.scan_reports) - bc_integration.persist_image_scan_results(runner.raw_report, self.config.dockerfile_path, + bc_integration.persist_image_scan_results(sca_runner.raw_report, self.config.dockerfile_path, self.config.docker_image, self.config.branch) bc_integration.persist_run_metadata(self.run_metadata) - if bc_integration.enable_persist_graphs: - bc_integration.persist_graphs(self.graphs) + # there is no graph to persist self.url = self.commit_repository() should_run_contributor_metrics = bc_integration.bc_api_key and self.config.repo_id and self.config.prisma_api_url @@ -576,6 +590,7 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ repo_root_for_plan_enrichment=self.config.repo_root_for_plan_enrichment, ) self.graphs = runner_registry.check_type_to_graph + self.resource_subgraph_maps = runner_registry.check_type_to_resource_subgraph_map if runner_registry.is_error_in_reports(self.scan_reports): self.exit_run() if baseline: @@ -630,7 +645,7 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ raise finally: - if self.config.support: + if bc_integration.support_flag_enabled: bc_integration.persist_logs_stream(logs_stream) def exit_run(self) -> None: @@ -664,23 +679,24 @@ def upload_results( ) -> None: """Upload scan results and other relevant files""" - bc_integration.persist_repository( - root_dir=root_folder, - files=files, - excluded_paths=excluded_paths, - included_paths=included_paths, - ) - if git_configuration_folders: - bc_integration.persist_git_configuration(os.getcwd(), git_configuration_folders) - if sca_supported_ir_report: - scan_reports_to_upload = [report for report in self.scan_reports if report.check_type != 'sca_image'] - scan_reports_to_upload.append(sca_supported_ir_report) - else: - scan_reports_to_upload = self.scan_reports + scan_reports_to_upload = self.scan_reports + if not bc_integration.on_prem: + bc_integration.persist_repository( + root_dir=root_folder, + files=files, + excluded_paths=excluded_paths, + included_paths=included_paths, + ) + if git_configuration_folders: + bc_integration.persist_git_configuration(os.getcwd(), git_configuration_folders) + if sca_supported_ir_report: + scan_reports_to_upload = [report for report in self.scan_reports if report.check_type != 'sca_image'] + scan_reports_to_upload.append(sca_supported_ir_report) bc_integration.persist_scan_results(scan_reports_to_upload) bc_integration.persist_run_metadata(self.run_metadata) if bc_integration.enable_persist_graphs: bc_integration.persist_graphs(self.graphs, absolute_root_folder=absolute_root_folder) + bc_integration.persist_resource_subgraph_maps(self.resource_subgraph_maps) self.url = self.commit_repository() def print_results( diff --git a/checkov/openapi/checks/resource/generic/SecurityOperations.py b/checkov/openapi/checks/resource/generic/SecurityOperations.py index 0b92ed07e4b..dfa17a1d8d3 100644 --- a/checkov/openapi/checks/resource/generic/SecurityOperations.py +++ b/checkov/openapi/checks/resource/generic/SecurityOperations.py @@ -16,8 +16,12 @@ def __init__(self) -> None: block_type=BlockType.DOCUMENT) def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]: # type:ignore[override] # return type is different than the base class - self.evaluated_keys = ['paths'] + self.evaluated_keys = ['security', 'paths'] + # Check if security field is present and not empty at the root level + root_security = conf.get('security') + + # If security field is not present or empty at the root level, check within each operation paths = conf.get('paths', {}) or {} if isinstance(paths, dict): for path, http_method in paths.items(): @@ -30,12 +34,14 @@ def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[Chec self.evaluated_keys = ['security'] if not isinstance(op_val, dict): continue - if 'security' not in op_val: + op_security = op_val.get("security") + if op_security is not None and not op_security: + # fails when security field is set as empty list return CheckResult.FAILED, conf - security = op_val['security'] - if not security: - return CheckResult.FAILED, paths + if op_security is None and not root_security: + # no security field for the operation and not in the root + return CheckResult.FAILED, conf return CheckResult.PASSED, conf diff --git a/checkov/sca_package_2/runner.py b/checkov/sca_package_2/runner.py index d68525f2800..06caaa53a44 100644 --- a/checkov/sca_package_2/runner.py +++ b/checkov/sca_package_2/runner.py @@ -140,6 +140,13 @@ def run( return report + def _persist_file_if_required(self, package_files_to_persist: List[FileToPersist], + file_path: Path, root_path: Path | None) -> None: + if file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS: + file_path_str = str(file_path) + # in case of root_path is None, we will get the path in related to the current work dir + package_files_to_persist.append(FileToPersist(file_path_str, os.path.relpath(file_path_str, root_path))) + def upload_package_files( self, root_path: Path | None, @@ -154,21 +161,18 @@ def upload_package_files( try: if root_path: for file_path in root_path.glob("**/*"): - if (file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS) and not any( - p in file_path.parts for p in excluded_paths) and file_path.name not in excluded_file_names: - file_path_str = str(file_path) - package_files_to_persist.append( - FileToPersist(file_path_str, os.path.relpath(file_path_str, root_path))) + if any(p in file_path.parts for p in excluded_paths) or file_path.name in excluded_file_names: + logging.debug(f"[sca_package:runner](upload_package_files) - File {file_path} was excluded") + continue + self._persist_file_if_required(package_files_to_persist, file_path, root_path) if files: - root_folder = os.path.split(os.path.commonprefix(files))[0] for file in files: file_path = Path(file) if not file_path.exists(): - logging.warning(f"File {file_path} doesn't exist") + logging.warning(f"[sca_package:runner](upload_package_files) - File {file_path} doesn't exist") continue - if file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS: - package_files_to_persist.append(FileToPersist(file, os.path.relpath(file, root_folder))) + self._persist_file_if_required(package_files_to_persist, file_path, root_path) logging.info(f"{len(package_files_to_persist)} sca package files found.") bc_integration.persist_files(package_files_to_persist) diff --git a/checkov/secrets/coordinator.py b/checkov/secrets/coordinator.py index cc207a048dd..e2b5e6f389f 100644 --- a/checkov/secrets/coordinator.py +++ b/checkov/secrets/coordinator.py @@ -1,6 +1,5 @@ from __future__ import annotations -from typing import Iterable -from typing_extensions import TypedDict +from typing import Iterable, TypedDict class EnrichedSecret(TypedDict): diff --git a/checkov/secrets/git_history_store.py b/checkov/secrets/git_history_store.py index 24f6732124d..b4409637620 100644 --- a/checkov/secrets/git_history_store.py +++ b/checkov/secrets/git_history_store.py @@ -2,8 +2,7 @@ import logging from collections import defaultdict -from typing import TYPE_CHECKING, Dict, List, Optional -from typing_extensions import TypedDict +from typing import TYPE_CHECKING, Dict, List, Optional, TypedDict from checkov.common.util.data_structures_utils import pickle_deepcopy from checkov.common.util.secrets import omit_secret_value_from_line diff --git a/checkov/secrets/git_types.py b/checkov/secrets/git_types.py index fb7056cc8cd..1f6556e455a 100644 --- a/checkov/secrets/git_types.py +++ b/checkov/secrets/git_types.py @@ -1,8 +1,7 @@ from __future__ import annotations import logging -from typing import Optional, TYPE_CHECKING -from typing_extensions import TypedDict +from typing import Optional, TYPE_CHECKING, TypedDict if TYPE_CHECKING: from detect_secrets.core.potential_secret import PotentialSecret diff --git a/checkov/secrets/plugins/custom_regex_detector.py b/checkov/secrets/plugins/custom_regex_detector.py index f5e4dba8d63..b444dc977ce 100644 --- a/checkov/secrets/plugins/custom_regex_detector.py +++ b/checkov/secrets/plugins/custom_regex_detector.py @@ -83,7 +83,6 @@ def analyze_line( **kwargs ) - # ToDo: Comment out once fix performence # type: ignore if filename not in self._analyzed_files: self._analyzed_files.add(filename) # We only want to read file if: there is regex supporting it & file size is not over MAX_FILE_SIZE diff --git a/checkov/terraform/base_runner.py b/checkov/terraform/base_runner.py new file mode 100644 index 00000000000..85cd5dda87c --- /dev/null +++ b/checkov/terraform/base_runner.py @@ -0,0 +1,244 @@ +from __future__ import annotations + +import os +import platform +from abc import abstractmethod +from typing import Dict, Optional, Any, Set, TYPE_CHECKING, TypeVar, Generic + +import dpath +import igraph +from typing_extensions import TypeAlias # noqa[TC002] + +from checkov.common.checks_infra.registry import get_graph_checks_registry +from checkov.common.graph.checks_infra.registry import BaseRegistry +from checkov.common.graph.graph_builder.consts import GraphSource +from checkov.common.images.image_referencer import ImageReferencerMixin +from checkov.common.models.enums import CheckResult +from checkov.common.output.graph_record import GraphRecord +from checkov.common.output.record import Record +from checkov.common.output.report import Report +from checkov.common.runners.base_runner import BaseRunner +from checkov.common.util.data_structures_utils import pickle_deepcopy +from checkov.common.util.secrets import omit_secret_value_from_graph_checks +from checkov.common.variables.context import EvaluationContext +from checkov.runner_filter import RunnerFilter +from checkov.terraform.modules.module_objects import TFDefinitionKey +from checkov.terraform.checks.data.registry import data_registry +from checkov.terraform.checks.module.registry import module_registry +from checkov.terraform.checks.provider.registry import provider_registry +from checkov.terraform.checks.resource.registry import resource_registry +from checkov.terraform.context_parsers.registry import parser_registry +from checkov.common.graph.graph_builder.graph_components.attribute_names import CustomAttributes +from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph +from checkov.terraform.graph_manager import TerraformGraphManager +from checkov.terraform.image_referencer.manager import TerraformImageReferencerManager +from checkov.terraform.tf_parser import TFParser + +if TYPE_CHECKING: + from networkx import DiGraph + from checkov.common.checks_infra.registry import Registry + from checkov.common.images.image_referencer import Image + from checkov.common.typing import LibraryGraphConnector + +_Context = TypeVar("_Context", bound="dict[Any, Any]|None") +_Definitions = TypeVar("_Definitions", bound="dict[Any, Any]|None") +_FilePath = TypeVar("_FilePath") + +# Allow the evaluation of empty variables +dpath.options.ALLOW_EMPTY_STRING_KEYS = True + + +class BaseTerraformRunner( + ImageReferencerMixin[None], + BaseRunner[_Definitions, _Context, TerraformGraphManager], + Generic[_Definitions, _Context, _FilePath], +): + def __init__( + self, + parser: TFParser | None = None, + db_connector: LibraryGraphConnector | None = None, + external_registries: list[BaseRegistry] | None = None, + source: str = GraphSource.TERRAFORM, + graph_class: type[TerraformLocalGraph] = TerraformLocalGraph, + graph_manager: TerraformGraphManager | None = None, + ) -> None: + super().__init__(file_extensions=[".tf", ".hcl"]) + self.external_registries = [] if external_registries is None else external_registries + self.graph_class = graph_class + self.parser = parser or TFParser() + self.definitions: _Definitions | None = None + self.context: _Context | None = None + self.breadcrumbs = None + self.evaluations_context: Dict[TFDefinitionKey, Dict[str, EvaluationContext]] = {} + self.graph_manager: TerraformGraphManager = ( + graph_manager + if graph_manager is not None + else TerraformGraphManager( + source=source, + db_connector=db_connector or self.db_connector, + ) + ) + self.graph_registry: Registry = get_graph_checks_registry(self.check_type) + self.definitions_with_modules: dict[str, dict[str, Any]] = {} + self.referrer_cache: Dict[str, str] = {} + self.non_referred_cache: Set[str] = set() + + block_type_registries = { # noqa: CCE003 # a static attribute + "resource": resource_registry, + "data": data_registry, + "provider": provider_registry, + "module": module_registry, + } + + @abstractmethod + def run( + self, + root_folder: str | None, + external_checks_dir: list[str] | None = None, + files: list[str] | None = None, + runner_filter: RunnerFilter | None = None, + collect_skip_comments: bool = True, + ) -> Report | list[Report]: + pass + + def load_external_checks(self, external_checks_dir: list[str] | None) -> None: + if external_checks_dir: + for directory in external_checks_dir: + resource_registry.load_external_checks(directory) + self.graph_registry.load_external_checks(directory) + + def get_connected_node(self, entity: dict[str, Any], root_folder: str) -> Optional[Dict[str, Any]]: + connected_entity = entity.get("connected_node") + if not connected_entity: + return None + connected_entity_context = self.get_entity_context_and_evaluations(connected_entity) + if not connected_entity_context: + return None + full_file_path = connected_entity[CustomAttributes.FILE_PATH] + connected_node_data = {} + connected_node_data["code_block"] = connected_entity_context.get("code_lines") + connected_node_data["file_path"] = f"{os.sep}{os.path.relpath(full_file_path, root_folder)}" + connected_node_data["file_line_range"] = [ + connected_entity_context.get("start_line"), + connected_entity_context.get("end_line"), + ] + connected_node_data["resource"] = ".".join(connected_entity_context["definition_path"]) + connected_node_data["entity_tags"] = connected_entity.get("tags", {}) + connected_node_data["evaluations"] = None + connected_node_data["file_abs_path"] = os.path.abspath(full_file_path) + connected_node_data["resource_address"] = connected_entity_context.get("address") + return connected_node_data + + def get_graph_checks_report( + self, root_folder: str, runner_filter: RunnerFilter, graph: igraph.Graph | None = None + ) -> Report: + report = Report(self.check_type) + checks_results = self.run_graph_checks_results(runner_filter, self.check_type, graph) + + for check, check_results in checks_results.items(): + for check_result in check_results: + entity = check_result["entity"] + entity_context = self.get_entity_context_and_evaluations(entity) + if entity_context: + full_file_path = entity[CustomAttributes.FILE_PATH] + copy_of_check_result = pickle_deepcopy(check_result) + for skipped_check in entity_context.get("skipped_checks", []): + if skipped_check["id"] == check.id: + copy_of_check_result["result"] = CheckResult.SKIPPED + copy_of_check_result["suppress_comment"] = skipped_check["suppress_comment"] + break + copy_of_check_result["entity"] = entity[CustomAttributes.CONFIG] + connected_node_data = self.get_connected_node(entity, root_folder) + if platform.system() == "Windows": + root_folder = os.path.split(full_file_path)[0] + resource_id = ".".join(entity_context["definition_path"]) + resource = resource_id + definition_context_file_path = full_file_path + if ( + entity.get(CustomAttributes.TF_RESOURCE_ADDRESS) + and entity.get(CustomAttributes.TF_RESOURCE_ADDRESS) != resource_id + ): + # for plan resources + resource = entity[CustomAttributes.TF_RESOURCE_ADDRESS] + entity_config = self.get_graph_resource_entity_config(entity) + censored_code_lines = omit_secret_value_from_graph_checks( + check=check, + check_result=check_result, + entity_code_lines=entity_context.get("code_lines", []), + entity_config=entity_config, + resource_attributes_to_omit=runner_filter.resource_attr_to_omit, + ) + record = Record( + check_id=check.id, + bc_check_id=check.bc_id, + check_name=check.name, + check_result=copy_of_check_result, + code_block=censored_code_lines, + file_path=f"{os.sep}{os.path.relpath(full_file_path, root_folder)}", + file_line_range=[ + entity_context.get("start_line", 1), + entity_context.get("end_line", 1), + ], + resource=resource, + entity_tags=entity.get("tags", {}), + evaluations=None, + check_class=check.__class__.__module__, + file_abs_path=os.path.abspath(full_file_path), + resource_address=entity_context.get("address"), + severity=check.severity, + bc_category=check.bc_category, + benchmarks=check.benchmarks, + connected_node=connected_node_data, + definition_context_file_path=definition_context_file_path, + ) + if self.breadcrumbs: + breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(resource) + if breadcrumb: + record = GraphRecord(record, breadcrumb) + record.set_guideline(check.guideline) + report.add_record(record=record) + return report + + @abstractmethod + def get_entity_context_and_evaluations(self, entity: dict[str, Any]) -> dict[str, Any] | None: + pass + + @abstractmethod + def run_block( + self, + entities: list[dict[str, Any]], + definition_context: _Context, + full_file_path: _FilePath, + root_folder: str, + report: Report, + scanned_file: str, + block_type: str, + runner_filter: RunnerFilter, + entity_context_path_header: str | None = None, + module_referrer: str | None = None, + ) -> None: + pass + + def extract_images( + self, + graph_connector: DiGraph | None = None, + definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None, + definitions_raw: dict[str, list[tuple[int, str]]] | None = None, + ) -> list[Image]: + if not graph_connector: + # should not happen + return [] + + manager = TerraformImageReferencerManager(graph_connector=graph_connector) + images = manager.extract_images_from_resources() + + return images + + @staticmethod + def get_graph_resource_entity_config(entity: dict[str, Any]) -> dict[str, Any]: + context_parser = parser_registry.context_parsers[entity[CustomAttributes.BLOCK_TYPE]] + entity_config: dict[str, Any] = entity[CustomAttributes.CONFIG] + definition_path = context_parser.get_entity_definition_path(entity_config) + for path in definition_path: + entity_config = entity_config[path] + return entity_config diff --git a/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml b/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml new file mode 100644 index 00000000000..5c8a1e29466 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml @@ -0,0 +1,19 @@ +metadata: + id: "CKV2_AWS_66" + name: "Ensure MWAA environment is not publicly accessible" + category: "NETWORKING" + +definition: + + or: + + - cond_type: "attribute" + resource_types: "aws_mwaa_environment" + attribute: "webserver_access_mode" + operator: "not_exists" + + - cond_type: "attribute" + resource_types: "aws_mwaa_environment" + attribute: "webserver_access_mode" + operator: "equals" + value: "PRIVATE_ONLY" diff --git a/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml b/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml new file mode 100644 index 00000000000..ef36d04e729 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml @@ -0,0 +1,12 @@ +metadata: + id: "CKV2_AWS_65" + name: "Ensure access control lists for S3 buckets are disabled" + category: "GENERAL_SECURITY" + +definition: + + cond_type: "attribute" + resource_types: "aws_s3_bucket_ownership_controls" + attribute: "rule.object_ownership" + operator: "equals" + value: "BucketOwnerEnforced" diff --git a/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml b/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml index 3adcd44f85b..350ed303a77 100644 --- a/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml +++ b/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml @@ -17,5 +17,5 @@ definition: operator: "number_of_words_not_equals" value: 0 -# Checking for condition "number_of_words_not_equals=0" instead of "is_not_empty" because -# even whitespaces were getting considered in terraform YAML file \ No newline at end of file +# Checking for condition "number_of_words_not_equals=0" instead of "is_not_empty" because +# even whitespaces were getting considered in terraform YAML file diff --git a/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py b/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py new file mode 100644 index 00000000000..ad31c14c279 --- /dev/null +++ b/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py @@ -0,0 +1,33 @@ + + +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck + + +class DeprecatedLambdaRuntime(BaseResourceNegativeValueCheck): + def __init__(self): + name = "Ensure Lambda Runtime is not deprecated" + id = "CKV_AWS_363" + supported_resources = ['aws_lambda_function'] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "runtime" + + def get_forbidden_values(self): + return ["dotnetcore3.1", "nodejs12.x", "python3.6", "python2.7", "dotnet5.0", "dotnetcore2.1", "ruby2.5", + "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0", + "nodejs4.3-edge", "nodejs", + # "python3.7", # Uncomment on Nov 27, 2023 + # "nodejs14.x", # Uncomment on Nov 27, 2023 + # "ruby2.7", # Uncomment on Dec 7, 2023 + # "provided", # Uncomment on Dec 31, 2023 + # "go1.x", # Uncomment on Dec 31, 2023 + # "java8", # Uncomment on Dec 31, 2023 + # "nodejs16.x", # Uncomment on Mar 11, 2024 + # "dotnet7", # Uncomment on May 14, 2024 + ] + + +check = DeprecatedLambdaRuntime() diff --git a/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py b/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py new file mode 100644 index 00000000000..c04dbf772bf --- /dev/null +++ b/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py @@ -0,0 +1,22 @@ +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class DocDBBackupRetention(BaseResourceValueCheck): + def __init__(self): + name = "Ensure DocDB has an adequate backup retention period" + id = "CKV_AWS_360" + supported_resources = ['aws_docdb_cluster'] + categories = [CheckCategories.BACKUP_AND_RECOVERY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self): + return "backup_retention_period" + + def scan_resource_conf(self, conf): + if conf.get("backup_retention_period", [1])[0] >= 7: + return CheckResult.PASSED + return CheckResult.FAILED + + +check = DocDBBackupRetention() diff --git a/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py b/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py index 73e2198411e..d6cb19db22d 100644 --- a/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py +++ b/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py @@ -1,45 +1,43 @@ -from typing import List +from __future__ import annotations -from checkov.common.models.enums import ( - CheckCategories, - CheckResult, -) -from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck +from typing import Any +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck -class IMDSv1Disabled(BaseResourceCheck): - def __init__(self): + +class IMDSv1Disabled(BaseResourceValueCheck): + def __init__(self) -> None: name = "Ensure Instance Metadata Service Version 1 is not enabled" id = "CKV_AWS_79" - categories = [CheckCategories.GENERAL_SECURITY] - supported_resources = ['aws_instance', 'aws_launch_template', 'aws_launch_configuration'] - super().__init__( - name=name, - id=id, - categories=categories, - supported_resources=supported_resources, - ) - - def scan_resource_conf(self, conf): + categories = (CheckCategories.GENERAL_SECURITY,) + supported_resources = ("aws_instance", "aws_launch_template", "aws_launch_configuration") + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: """ Looks for if the metadata service is disabled or requires session tokens: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options - or - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options + https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options + or + https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options :param conf: dict of supported resource configuration :return: """ - if 'metadata_options' not in conf.keys() or not isinstance(conf['metadata_options'][0], dict): + metadata_options = conf.get("metadata_options") + if not metadata_options or not isinstance(metadata_options[0], dict): return CheckResult.FAILED - metadata_options = conf['metadata_options'][0] - if ('http_tokens' in metadata_options and metadata_options["http_tokens"] == ["required"]) or \ - ('http_endpoint' in metadata_options and metadata_options["http_endpoint"] == ["disabled"]): + + if metadata_options[0].get("http_endpoint") == ["disabled"]: return CheckResult.PASSED - return CheckResult.FAILED - def get_evaluated_keys(self) -> List[str]: - return ['metadata_options/[0]/http_tokens', 'metadata_options/[0]/http_endpoint'] + return super().scan_resource_conf(conf) + + def get_inspected_key(self) -> str: + return "metadata_options/[0]/http_tokens" + + def get_expected_value(self) -> Any: + return "required" check = IMDSv1Disabled() diff --git a/checkov/terraform/checks/resource/aws/LambdaServicePermission.py b/checkov/terraform/checks/resource/aws/LambdaServicePermission.py new file mode 100644 index 00000000000..254a1a8e47f --- /dev/null +++ b/checkov/terraform/checks/resource/aws/LambdaServicePermission.py @@ -0,0 +1,38 @@ +from __future__ import annotations + +from typing import List, Any + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck + + +class LambdaServicePermission(BaseResourceCheck): + def __init__(self) -> None: + description = "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount" + id = "CKV_AWS_364" + supported_resources = ('aws_lambda_permission',) + categories = (CheckCategories.IAM,) + super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: + # Replace this with the custom logic for your check + principal = conf.get("principal") + if principal and isinstance(principal, list) and isinstance(principal[0], str): + principal_parts = principal[0].split('.') + try: + if principal_parts[1] == 'amazonaws' and principal_parts[2] == 'com': # This confirms that the principal is set as a service principal. + if 'source_arn' in conf or 'source_account' in conf: # If either of these are set, we're good and the check should pass. + self.evaluated_keys = self.get_evaluated_keys() + return CheckResult.PASSED + else: + self.evaluated_keys = self.get_evaluated_keys() + return CheckResult.FAILED + except IndexError: + return CheckResult.UNKNOWN + return CheckResult.UNKNOWN + + def get_evaluated_keys(self) -> List[str]: + return ["principal", "source_arn", "source_account"] + + +check = LambdaServicePermission() diff --git a/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py b/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py new file mode 100644 index 00000000000..8adaf9a10d8 --- /dev/null +++ b/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py @@ -0,0 +1,23 @@ +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck + + +class NeptuneClusterBackupRetention(BaseResourceCheck): + def __init__(self): + description = "Ensure that Neptune DB cluster has automated backups enabled with adequate retention" + id = "CKV_AWS_361" + supported_resources = ['aws_neptune_cluster'] + categories = [CheckCategories.BACKUP_AND_RECOVERY] + super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf): + if conf.get('backup_retention_period', [1])[0] >= 7: + return CheckResult.PASSED + + return CheckResult.FAILED + + def get_evaluated_keys(self): + return 'backup_retention_period' + + +check = NeptuneClusterBackupRetention() diff --git a/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py b/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py new file mode 100644 index 00000000000..297926c78ca --- /dev/null +++ b/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py @@ -0,0 +1,17 @@ +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class NeptuneDBClustersCopyTagsToSnapshots(BaseResourceValueCheck): + def __init__(self): + description = "Neptune DB clusters should be configured to copy tags to snapshots" + id = "CKV_AWS_362" + supported_resources = ['aws_neptune_cluster'] + categories = [CheckCategories.BACKUP_AND_RECOVERY] + super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self): + return "copy_tags_to_snapshot" + + +check = NeptuneDBClustersCopyTagsToSnapshots() diff --git a/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py b/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py new file mode 100644 index 00000000000..ddda691fe41 --- /dev/null +++ b/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py @@ -0,0 +1,17 @@ +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class NeptuneDBClustersIAMDatabaseAuthenticationEnabled(BaseResourceValueCheck): + def __init__(self): + description = "Neptune DB clusters should have IAM database authentication enabled" + id = "CKV_AWS_359" + supported_resources = ['aws_neptune_cluster'] + categories = [CheckCategories.IAM] + super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self): + return "iam_database_authentication_enabled" + + +check = NeptuneDBClustersIAMDatabaseAuthenticationEnabled() diff --git a/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py b/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py new file mode 100644 index 00000000000..0640780f851 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py @@ -0,0 +1,35 @@ +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class AKSEncryptionAtHostEnabled(BaseResourceValueCheck): + def __init__(self) -> None: + """ + With host-based encryption, the data stored on the VM host of + your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service. + + This means the temp disks are encrypted at rest with platform-managed keys. + The cache of OS and data disks is encrypted at rest with either platform-managed keys + or customer-managed keys depending on the encryption type set on those disks. + """ + name = "Ensure that the AKS cluster encrypt temp disks, caches, and data flows " + name += "between Compute and Storage resources" + id = "CKV_AZURE_227" + supported_resources = ("azurerm_kubernetes_cluster", "azurerm_kubernetes_cluster_node_pool") + categories = (CheckCategories.KUBERNETES,) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + missing_block_result=CheckResult.FAILED, + ) + + def get_inspected_key(self) -> str: + if self.entity_type == "azurerm_kubernetes_cluster": + return "default_node_pool/[0]/enable_host_encryption" + else: + return "enable_host_encryption" + + +check = AKSEncryptionAtHostEnabled() diff --git a/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py b/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py new file mode 100644 index 00000000000..e8af9392c4a --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py @@ -0,0 +1,34 @@ +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from typing import Any + + +class AKSEphemeralOSDisks(BaseResourceValueCheck): + def __init__(self) -> None: + """ + Temporary data can contain sensitive data at some points, by using ephemeral disks, + we ensure that data written to OS disk is stored on local VM storage and isn't persisted to Azure Storage + + Azure automatically replicates data stored in the managed OS disk of a virtual machine to Azure storage + to avoid data loss in case the virtual machine needs to be relocated to another host. + Generally speaking, containers are not designed to have local state persisted to the managed OS disk, + hence this behavior offers limited value to AKS hosted while providing some drawbacks, + including slower node provisioning and higher read/write latency. + + Ephemeral disks allow us also to have faster cluster operations like scale or upgrade + due to faster re-imaging and boot times. + """ + name = "Ensure ephemeral disks are used for OS disks" + id = "CKV_AZURE_226" + supported_resources = ("azurerm_kubernetes_cluster",) + categories = (CheckCategories.KUBERNETES,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "default_node_pool/[0]/os_disk_type" + + def get_expected_value(self) -> Any: + return "Ephemeral" + + +check = AKSEphemeralOSDisks() diff --git a/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py b/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py new file mode 100644 index 00000000000..6f04fef7ec7 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py @@ -0,0 +1,26 @@ +from __future__ import annotations + +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class AppServicePlanZoneRedundant(BaseResourceValueCheck): + def __init__(self) -> None: + """ + To enhance the resiliency and reliability of business-critical workloads, + it's recommended to deploy new App Service Plans with zone-redundancy. + + There's no additional cost associated with enabling availability zones. + Pricing for a zone redundant App Service is the same as a single zone App Service. + """ + name = "Ensure the App Service Plan is zone redundant" + id = "CKV_AZURE_225" + supported_resources = ("azurerm_service_plan",) + categories = (CheckCategories.BACKUP_AND_RECOVERY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "zone_balancing_enabled" + + +check = AppServicePlanZoneRedundant() diff --git a/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py b/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py new file mode 100644 index 00000000000..ac41278c9c7 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py @@ -0,0 +1,22 @@ +from typing import Any + +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class AppServicePublicAccessDisabled(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Azure Web App public network access is disabled" + id = "CKV_AZURE_222" + supported_resources = ("azurerm_linux_web_app", "azurerm_windows_web_app") + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "public_network_access_enabled" + + def get_expected_value(self) -> Any: + return False + + +check = AppServicePublicAccessDisabled() diff --git a/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py b/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py index 7b4f40bbbf6..0f78f6c557a 100644 --- a/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py +++ b/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py @@ -6,8 +6,8 @@ class DataLakeStoreEncryption(BaseResourceValueCheck): def __init__(self): name = "Ensure that Data Lake Store accounts enables encryption" id = "CKV_AZURE_105" - supported_resources = ['azurerm_data_lake_store'] - categories = [CheckCategories.IAM] + supported_resources = ('azurerm_data_lake_store',) + categories = (CheckCategories.ENCRYPTION,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, missing_block_result=CheckResult.PASSED) def get_inspected_key(self): diff --git a/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py b/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py new file mode 100644 index 00000000000..d4aefed0e69 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py @@ -0,0 +1,25 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class EventHubNamespaceMinTLS12(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure Event Hub Namespace uses at least TLS 1.2" + id = "CKV_AZURE_223" + supported_resources = ("azurerm_eventhub_namespace",) + categories = (CheckCategories.ENCRYPTION,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED) + + def get_inspected_key(self) -> str: + return "minimum_tls_version" + + def get_expected_value(self) -> Any: + return "1.2" + + +check = EventHubNamespaceMinTLS12() diff --git a/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py b/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py new file mode 100644 index 00000000000..51641369a89 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py @@ -0,0 +1,27 @@ +from typing import Any + +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class FunctionAppPublicAccessDisabled(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Azure Function App public network access is disabled" + id = "CKV_AZURE_221" + supported_resources = ( + "azurerm_linux_function_app", + "azurerm_linux_function_app_slot", + "azurerm_windows_function_app", + "azurerm_windows_function_app_slot", + ) + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "public_network_access_enabled" + + def get_expected_value(self) -> Any: + return False + + +check = FunctionAppPublicAccessDisabled() diff --git a/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py b/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py index 7f3c2fbb3ac..d2184754938 100644 --- a/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py +++ b/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py @@ -6,8 +6,8 @@ class RedisCachePublicNetworkAccessEnabled(BaseResourceValueCheck): def __init__(self): name = "Ensure that Azure Cache for Redis disables public network access" id = "CKV_AZURE_89" - supported_resources = ['azurerm_redis_cache'] - categories = [CheckCategories.IAM] + supported_resources = ('azurerm_redis_cache',) + categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def get_inspected_key(self): diff --git a/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py b/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py new file mode 100644 index 00000000000..d4c974b449a --- /dev/null +++ b/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py @@ -0,0 +1,39 @@ +from __future__ import annotations + +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class SQLDatabaseLedgerEnabled(BaseResourceValueCheck): + def __init__(self) -> None: + """ + Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), + system administrators, and cloud administrators. As with a traditional ledger, the feature preserves + historical data. + If a row is updated in the database, its previous value is maintained and protected + in a history table. Ledger provides a chronicle of all changes made to the database over time. + Ledger and the historical data are managed transparently, offering protection without any application changes. + The feature maintains historical data in a relational form to support SQL queries for auditing, + forensics, and other purposes. + It provides guarantees of cryptographic data integrity while maintaining the power, flexibility, + and performance of the SQL database. + + Note that: + - Ledger needs to be enabled at the deployment of the database and can't be removed once enabled + - Ledger may come with performance impact, which means that it is advise to closely monitor + the database performance in order to ensure that the database meets the performance objectives + - Ledger comes with an additional cost, due to the data being stored + + """ + name = "Ensure that the Ledger feature is enabled on database that " + name += "requires cryptographic proof and nonrepudiation of data integrity" + id = "CKV_AZURE_224" + supported_resources = ("azurerm_mssql_database",) + categories = (CheckCategories.LOGGING,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "ledger_enabled" + + +check = SQLDatabaseLedgerEnabled() diff --git a/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py b/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py index d2483a249d0..2b6dc5c9378 100644 --- a/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py +++ b/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py @@ -28,7 +28,7 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: self.evaluated_keys = ["rotation_period"] rotation = conf.get("rotation_period") - if rotation and rotation[0]: + if rotation and rotation[0] and isinstance(rotation[0], str): time = force_int(rotation[0][:-1]) if time and ONE_DAY <= time <= NINETY_DAYS: return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py b/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py index 7a2842f7bcb..c2cbe20c5c6 100644 --- a/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py +++ b/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py @@ -19,13 +19,13 @@ def scan_resource_conf(self, conf) -> CheckResult: if isinstance(rules, list) and rules: for rule in rules: if "api_groups" in rule: - if "*" in rule["api_groups"][0]: + if rule["api_groups"] is not None and "*" in rule["api_groups"][0]: return CheckResult.FAILED if "resources" in rule: - if "*" in rule["resources"][0]: + if rule["resources"] is not None and "*" in rule["resources"][0]: return CheckResult.FAILED if "verbs" in rule: - if "*" in rule["verbs"][0]: + if rule["verbs"] is not None and "*" in rule["verbs"][0]: return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/graph_builder/foreach/abstract_handler.py b/checkov/terraform/graph_builder/foreach/abstract_handler.py index 8d094a0874a..8a8d9a91182 100644 --- a/checkov/terraform/graph_builder/foreach/abstract_handler.py +++ b/checkov/terraform/graph_builder/foreach/abstract_handler.py @@ -7,7 +7,6 @@ from typing import Any from checkov.common.util.data_structures_utils import pickle_deepcopy -from checkov.terraform import TFModule from checkov.terraform.graph_builder.foreach.consts import COUNT_STRING, FOREACH_STRING, COUNT_KEY, EACH_VALUE, \ EACH_KEY, REFERENCES_VALUES from checkov.terraform.graph_builder.graph_components.block_types import BlockType @@ -67,16 +66,6 @@ def _build_sub_graph(self, blocks_to_render: list[int]) -> TerraformLocalGraph: sub_graph.out_edges = self.local_graph.out_edges return sub_graph - @staticmethod - def _update_nested_tf_module_foreach_idx(original_foreach_or_count_key: int | str, original_module_key: TFModule, - tf_moudle: TFModule | None) -> None: - original_module_key.foreach_idx = None # Make sure it is always None even if we didn't override it previously - while tf_moudle is not None: - if tf_moudle == original_module_key: - tf_moudle.foreach_idx = original_foreach_or_count_key - break - tf_moudle = tf_moudle.nested_tf_module - @staticmethod def _pop_foreach_attrs(attrs: dict[str, Any]) -> None: attrs.pop(COUNT_STRING, None) diff --git a/checkov/terraform/graph_builder/foreach/module_handler.py b/checkov/terraform/graph_builder/foreach/module_handler.py index 135f5776968..caa6fca4845 100644 --- a/checkov/terraform/graph_builder/foreach/module_handler.py +++ b/checkov/terraform/graph_builder/foreach/module_handler.py @@ -7,7 +7,7 @@ from checkov.common.util.consts import RESOLVED_MODULE_ENTRY_NAME from checkov.common.util.data_structures_utils import pickle_deepcopy -from checkov.terraform import TFModule +from checkov.terraform import TFModule, TFDefinitionKey from checkov.terraform.graph_builder.foreach.abstract_handler import ForeachAbstractHandler from checkov.terraform.graph_builder.foreach.consts import FOREACH_STRING, COUNT_STRING from checkov.terraform.graph_builder.graph_components.block_types import BlockType @@ -88,7 +88,7 @@ def _get_current_tf_module_object(self, m_idx: int) -> TFModule: return TFModule(m.path, m_name, m.source_module_object, m.for_each_index) def _create_new_resources_foreach(self, statement: list[str] | dict[str, Any], block_idx: int) -> None: - # Important it will be before the super call to avoid changes occuring from super + # Important it will be before the super call to avoid changes occurring from super main_resource = self.local_graph.vertices[block_idx] super()._create_new_resources_foreach(statement, block_idx) @@ -109,12 +109,9 @@ def _create_new_foreach_resource(self, block_idx: int, foreach_idx: int, main_re def _update_module_children(self, main_resource: TerraformBlock, original_foreach_or_count_key: int | str, should_override_foreach_key: bool = True) -> None: + foreach_idx = original_foreach_or_count_key if not should_override_foreach_key else None original_module_key = TFModule(path=main_resource.path, name=main_resource.name, - nested_tf_module=main_resource.source_module_object) - - if not should_override_foreach_key: - original_module_key.foreach_idx = original_foreach_or_count_key - + nested_tf_module=main_resource.source_module_object, foreach_idx=foreach_idx) self._update_children_foreach_index(original_foreach_or_count_key, original_module_key, should_override_foreach_key=should_override_foreach_key) @@ -137,23 +134,27 @@ def _update_children_foreach_index(self, original_foreach_or_count_key: int | st if current_module_key is None: current_module_key = original_module_key if current_module_key not in self.local_graph.vertices_by_module_dependency: - return + # Make sure we check both the intended key (with foreach key) and the one without the foreach key. + # This is important as we have some iterations in which we try to access with the intended key before + # we actually updated the dict itself + nullified_key = self._get_tf_module_with_no_foreach(current_module_key) + if nullified_key not in self.local_graph.vertices_by_module_dependency: + return + current_module_key = nullified_key values = self.local_graph.vertices_by_module_dependency[current_module_key].values() for child_indexes in values: for child_index in child_indexes: child = self.local_graph.vertices[child_index] - self._update_nested_tf_module_foreach_idx(original_foreach_or_count_key, original_module_key, - child.source_module_object) + child.source_module_object = self._get_module_with_only_relevant_foreach_idx( + original_foreach_or_count_key, original_module_key, child.source_module_object) self._update_resolved_entry_for_tf_definition(child, original_foreach_or_count_key, original_module_key) # Important to copy to avoid changing the object by reference child_source_module_object_copy = pickle_deepcopy(child.source_module_object) if should_override_foreach_key and child_source_module_object_copy is not None: - tf_module: TFModule | None = child_source_module_object_copy - while tf_module is not None: - tf_module.foreach_idx = None - tf_module = tf_module.nested_tf_module + child_source_module_object_copy = self._get_tf_module_with_no_foreach( + child_source_module_object_copy) child_module_key = TFModule(path=child.path, name=child.name, nested_tf_module=child_source_module_object_copy, @@ -162,6 +163,14 @@ def _update_children_foreach_index(self, original_foreach_or_count_key: int | st self._update_children_foreach_index(original_foreach_or_count_key, original_module_key, child_module_key) + @staticmethod + def _get_tf_module_with_no_foreach(original_module: TFModule | None) -> TFModule | None: + if original_module is None: + return original_module + return TFModule(name=original_module.name, path=original_module.path, foreach_idx=None, + nested_tf_module=ForeachModuleHandler._get_tf_module_with_no_foreach( + original_module.nested_tf_module)) + def _create_new_module( self, main_resource: TerraformBlock, @@ -180,7 +189,7 @@ def _create_new_module( main_resource_module_key = TFModule( path=new_resource.path, name=main_resource.name, - nested_tf_module=new_resource.source_module_object, + nested_tf_module=self._get_tf_module_with_no_foreach(new_resource.source_module_object) ) # Without making this copy the test don't pass, as we might access the data structure in the middle of an update @@ -198,8 +207,10 @@ def _create_new_module( else: self.local_graph.vertices[resource_idx] = new_resource - key_with_foreach_index = main_resource_module_key - key_with_foreach_index.foreach_idx = idx_to_change + key_with_foreach_index = TFModule(name=main_resource_module_key.name, + path=main_resource_module_key.path, + nested_tf_module=main_resource_module_key.nested_tf_module, + foreach_idx=idx_to_change) self.local_graph.vertices_by_module_dependency[key_with_foreach_index] = main_resource_module_value self.local_graph.vertices_by_module_dependency_by_name[key_with_foreach_index][new_resource.name] = main_resource_module_value @@ -269,9 +280,28 @@ def _update_resolved_entry_for_tf_definition(child: TerraformBlock, original_for if isinstance(config, dict): resolved_module_name = config.get(RESOLVED_MODULE_ENTRY_NAME) if resolved_module_name is not None and len(resolved_module_name) > 0: - tf_moudle: TFModule = resolved_module_name[0].tf_source_modules - ForeachAbstractHandler._update_nested_tf_module_foreach_idx( + original_definition_key = config[RESOLVED_MODULE_ENTRY_NAME][0] + tf_source_modules = ForeachModuleHandler._get_module_with_only_relevant_foreach_idx( original_foreach_or_count_key, original_module_key, - tf_moudle, + resolved_module_name[0].tf_source_modules, ) + config[RESOLVED_MODULE_ENTRY_NAME][0] = TFDefinitionKey(file_path=original_definition_key.file_path, + tf_source_modules=tf_source_modules) + + @staticmethod + def _get_module_with_only_relevant_foreach_idx(original_foreach_or_count_key: int | str, + original_module_key: TFModule, + tf_moudle: TFModule | None) -> TFModule | None: + if tf_moudle is None: + return None + if tf_moudle == original_module_key: + return TFModule(name=tf_moudle.name, path=tf_moudle.path, + nested_tf_module=tf_moudle.nested_tf_module, + foreach_idx=original_foreach_or_count_key) + nested_module = tf_moudle.nested_tf_module + updated_module = ForeachModuleHandler._get_module_with_only_relevant_foreach_idx( + original_foreach_or_count_key, original_module_key, nested_module) + return TFModule(name=tf_moudle.name, path=tf_moudle.path, + nested_tf_module=updated_module, + foreach_idx=tf_moudle.foreach_idx) diff --git a/checkov/terraform/graph_builder/graph_components/module.py b/checkov/terraform/graph_builder/graph_components/module.py index 162c3a8d6cc..8b67f9cb1e4 100644 --- a/checkov/terraform/graph_builder/graph_components/module.py +++ b/checkov/terraform/graph_builder/graph_components/module.py @@ -3,6 +3,7 @@ import json import os from typing import List, Dict, Any, Set, Callable, Tuple, TYPE_CHECKING, cast +from ast import literal_eval from checkov.common.typing import TFDefinitionKeyType from checkov.common.util.data_structures_utils import pickle_deepcopy @@ -49,7 +50,7 @@ def __eq__(self, other: object) -> bool: def to_dict(self) -> dict[str, Any]: return { - 'external_modules_source_map': self.external_modules_source_map, + 'external_modules_source_map': self._to_dict_external_modules_source_map(), 'path': self.path, 'customer_name': self.customer_name, 'account_id': self.account_id, @@ -63,7 +64,7 @@ def to_dict(self) -> dict[str, Any]: @staticmethod def from_dict(module_dict: dict[str, Any]) -> Module: module = Module(source_dir=module_dict.get('source_dir', ''), - external_modules_source_map=module_dict.get('external_modules_source_map', {}) + external_modules_source_map=Module._from_dict_external_modules_source_map(module_dict) ) module.blocks = [TerraformBlock.from_dict(block) for block in module_dict.get('blocks', [])] module.path = module_dict.get('path', '') @@ -75,6 +76,13 @@ def from_dict(module_dict: dict[str, Any]) -> Module: module.render_dynamic_blocks_env_var = module_dict.get('render_dynamic_blocks_env_var', '') return module + def _to_dict_external_modules_source_map(self) -> dict[str, str]: + return {str(k_tuple): v for k_tuple, v in self.external_modules_source_map.items()} + + @staticmethod + def _from_dict_external_modules_source_map(module_dict: dict[str, Any]) -> dict[tuple[str, str], Any]: + return {literal_eval(k_tuple): v for k_tuple, v in module_dict.get('external_modules_source_map', {}).items()} + def add_blocks( self, block_type: str, blocks: List[Dict[str, Dict[str, Any]]], path: TFDefinitionKeyType, source: str ) -> None: diff --git a/checkov/terraform/graph_builder/local_graph.py b/checkov/terraform/graph_builder/local_graph.py index 0ce7ae8b635..c2232771f85 100644 --- a/checkov/terraform/graph_builder/local_graph.py +++ b/checkov/terraform/graph_builder/local_graph.py @@ -5,9 +5,7 @@ from collections import defaultdict from functools import partial from pathlib import Path -from typing import List, Optional, Union, Any, Dict, overload - -from typing_extensions import TypedDict +from typing import List, Optional, Union, Any, Dict, overload, TypedDict import checkov.terraform.graph_builder.foreach.consts from checkov.common.graph.graph_builder import Edge diff --git a/checkov/terraform/graph_builder/utils.py b/checkov/terraform/graph_builder/utils.py index e0b576a5951..1bc69814fd2 100644 --- a/checkov/terraform/graph_builder/utils.py +++ b/checkov/terraform/graph_builder/utils.py @@ -8,11 +8,12 @@ import igraph +from checkov.common.typing import LibraryGraph from checkov.common.util.parser_utils import TERRAFORM_NESTED_MODULE_PATH_SEPARATOR_LENGTH, \ TERRAFORM_NESTED_MODULE_INDEX_SEPARATOR +from networkx import DiGraph if TYPE_CHECKING: - from networkx import DiGraph from checkov.terraform.graph_builder.graph_components.blocks import TerraformBlock from checkov.common.util.type_forcers import force_int @@ -364,11 +365,25 @@ def get_file_path_to_referred_id_igraph(graph_object: igraph.Graph) -> dict[str, return file_path_to_module_id -def setup_file_path_to_referred_id(graph_object: DiGraph | igraph.Graph) -> dict[str, str]: +def get_file_path_to_referred_id_rustworkx(graph_object: DiGraph) -> dict[str, str]: + file_path_to_module_id = {} + + modules = [node for index, node in graph_object.nodes() if + node.get(CustomAttributes.BLOCK_TYPE) == BlockType.MODULE] + for modules_data in modules: + for module_name, module_content in modules_data.get(CustomAttributes.CONFIG, {}).items(): + for path in module_content.get("__resolved__", []): + file_path_to_module_id[path] = f"module.{module_name}" + return file_path_to_module_id + + +def setup_file_path_to_referred_id(graph_object: LibraryGraph) -> dict[str, str]: if isinstance(graph_object, igraph.Graph): return get_file_path_to_referred_id_igraph(graph_object) - else: # the default value of the graph framework is 'NETWORKX' + elif isinstance(graph_object, DiGraph): return get_file_path_to_referred_id_networkx(graph_object) + else: + return get_file_path_to_referred_id_rustworkx(graph_object) def get_attribute_is_leaf(vertex: TerraformBlock) -> Dict[str, bool]: diff --git a/checkov/terraform/graph_manager.py b/checkov/terraform/graph_manager.py index 1dddc9c8211..f5553921c6b 100644 --- a/checkov/terraform/graph_manager.py +++ b/checkov/terraform/graph_manager.py @@ -1,6 +1,7 @@ from __future__ import annotations import logging +import os from typing import Type, Any, TYPE_CHECKING, overload from checkov.common.util.consts import DEFAULT_EXTERNAL_MODULES_DIR @@ -31,8 +32,7 @@ def build_multi_graph_from_source_directory( excluded_paths: list[str] | None = None, external_modules_download_path: str = DEFAULT_EXTERNAL_MODULES_DIR, vars_files: list[str] | None = None, - create_graph: bool = True, - ) -> list[tuple[TerraformLocalGraph | None, list[dict[TFDefinitionKey, dict[str, Any]]]]]: + ) -> tuple[list[tuple[TerraformLocalGraph, list[dict[TFDefinitionKey, dict[str, Any]]], str]], dict[str, str]]: logging.info("Parsing HCL files in source dir to multi graph") modules_with_definitions = self.parser.parse_multi_graph_hcl_module( source_dir=source_dir, @@ -42,18 +42,19 @@ def build_multi_graph_from_source_directory( parsing_errors=parsing_errors, excluded_paths=excluded_paths, vars_files=vars_files, - create_graph=create_graph, ) - graphs: list[tuple[TerraformLocalGraph | None, list[dict[TFDefinitionKey, dict[str, Any]]]]] = [] + graphs: list[tuple[TerraformLocalGraph, list[dict[TFDefinitionKey, dict[str, Any]]], str]] = [] + resource_subgraph_map: dict[str, str] = {} for module, tf_definitions in modules_with_definitions: - if create_graph and module: - logging.info("Building graph from parsed module") - local_graph = local_graph_class(module) - local_graph.build_graph(render_variables=render_variables) - graphs.append((local_graph, tf_definitions)) - - return graphs + logging.info("Building graph from parsed module") + local_graph = local_graph_class(module) + local_graph.build_graph(render_variables=render_variables) + subgraph_abs_path = module.source_dir + subgraph_path = subgraph_abs_path[subgraph_abs_path.rindex(source_dir) + len(source_dir) + 1:] + graphs.append((local_graph, tf_definitions, subgraph_path)) + self.update_resource_subgraph_map(local_graph, subgraph_path, resource_subgraph_map, source_dir) + return graphs, resource_subgraph_map def build_graph_from_source_directory( self, @@ -65,8 +66,7 @@ def build_graph_from_source_directory( excluded_paths: list[str] | None = None, external_modules_download_path: str = DEFAULT_EXTERNAL_MODULES_DIR, vars_files: list[str] | None = None, - create_graph: bool = True, - ) -> tuple[TerraformLocalGraph | None, dict[TFDefinitionKey, dict[str, Any]]]: + ) -> tuple[TerraformLocalGraph, dict[TFDefinitionKey, dict[str, Any]]]: logging.info("Parsing HCL files in source dir to graph") module, tf_definitions = self.parser.parse_hcl_module( source_dir=source_dir, @@ -76,14 +76,11 @@ def build_graph_from_source_directory( parsing_errors=parsing_errors, excluded_paths=excluded_paths, vars_files=vars_files, - create_graph=create_graph, ) - local_graph = None - if create_graph and module: - logging.info("Building graph from parsed module") - local_graph = local_graph_class(module) - local_graph.build_graph(render_variables=render_variables) + logging.info("Building graph from parsed module") + local_graph = local_graph_class(module) + local_graph.build_graph(render_variables=render_variables) return local_graph, tf_definitions @@ -110,16 +107,27 @@ def build_graph_from_definitions( return local_graph - def build_multi_graph_from_definitions(self, definitions: dict[TFDefinitionKey, dict[str, Any]], - render_variables: bool = True) -> list[TerraformLocalGraph]: + def build_multi_graph_from_definitions( + self, + definitions: dict[TFDefinitionKey, dict[str, Any]], + render_variables: bool = True, + ) -> list[tuple[str | None, TerraformLocalGraph]]: module, tf_definitions = self.parser.parse_hcl_module_from_tf_definitions(definitions, "", self.source) dirs_to_definitions = self.parser.create_definition_by_dirs(tf_definitions) - graphs: list[TerraformLocalGraph] = [] + graphs: list[tuple[str | None, TerraformLocalGraph]] = [] for source_path, dir_definitions in dirs_to_definitions.items(): module, parsed_tf_definitions = self.parser.parse_hcl_module_from_multi_tf_definitions(dir_definitions, source_path, self.source) local_graph = TerraformLocalGraph(module) local_graph.build_graph(render_variables=render_variables) - graphs.append(local_graph) + graphs.append((source_path, local_graph)) return graphs + + @staticmethod + def update_resource_subgraph_map( + local_graph: TerraformLocalGraph, subgraph_path: str, resource_subgraph_map: dict[str, str], source_dir: str + ) -> None: + for v in local_graph.vertices: + resource_id = f"/{os.path.relpath(v.path, source_dir)}:{v.id}" + resource_subgraph_map[resource_id] = subgraph_path diff --git a/checkov/terraform/module_loading/loader.py b/checkov/terraform/module_loading/loader.py index 75ab5529f21..0e721511c85 100644 --- a/checkov/terraform/module_loading/loader.py +++ b/checkov/terraform/module_loading/loader.py @@ -28,6 +28,9 @@ def __init__(self) -> None: self.inner_module: Optional[str] = None self.root_dir = "" # root dir for storing external modules + def __eq__(self, loader: object) -> bool: + return type(loader) is type(self) + @abstractmethod def discover(self, module_params: ModuleParams) -> None: """ diff --git a/checkov/terraform/module_loading/loaders/git_loader.py b/checkov/terraform/module_loading/loaders/git_loader.py index 590fe196521..115cb2b0db2 100644 --- a/checkov/terraform/module_loading/loaders/git_loader.py +++ b/checkov/terraform/module_loading/loaders/git_loader.py @@ -61,7 +61,6 @@ def _is_matching_loader(self, module_params: ModuleParams) -> bool: def _load_module(self, module_params: ModuleParams) -> ModuleContent: try: self._process_generic_git_repo(module_params) - module_source = module_params.module_source.replace("git::", "") git_getter = GitGetter(module_source, create_clone_and_result_dirs=False) git_getter.temp_dir = module_params.dest_dir diff --git a/checkov/terraform/module_loading/loaders/local_path_loader.py b/checkov/terraform/module_loading/loaders/local_path_loader.py index 392b02d3739..3943adf29bd 100644 --- a/checkov/terraform/module_loading/loaders/local_path_loader.py +++ b/checkov/terraform/module_loading/loaders/local_path_loader.py @@ -24,6 +24,10 @@ def discover(self, module_params: ModuleParams) -> None: pass def _is_matching_loader(self, module_params: ModuleParams) -> bool: + if module_params.tf_managed: + # Terraform managed modules are already downloaded and can be handled as local modules + return True + if module_params.module_source.startswith(("./", "../", module_params.current_dir, "/")): return True diff --git a/checkov/terraform/module_loading/module_finder.py b/checkov/terraform/module_loading/module_finder.py index 55c7b259f8e..c27a629cd80 100644 --- a/checkov/terraform/module_loading/module_finder.py +++ b/checkov/terraform/module_loading/module_finder.py @@ -1,31 +1,34 @@ from __future__ import annotations +import json import logging import os import re +from pathlib import Path from typing import List, Callable from checkov.common.parallelizer.parallel_runner import parallel_runner from checkov.common.util.file_utils import read_file_with_any_encoding +from checkov.common.util.type_forcers import convert_str_to_bool from checkov.terraform.module_loading.registry import module_loader_registry +MODULE_NAME_PATTERN = re.compile(r'[^#]*\bmodule\s*"(?P.*)"') MODULE_SOURCE_PATTERN = re.compile(r'[^#]*\bsource\s*=\s*"(?P.*)"') -MODULE_VERSION_PATTERN = re.compile(r'[^#]*\bversion\s*=\s*"(?P=|!=|>=|>|<=|<|~>)?\s*(?P[\d.]+-?\w*)"') +MODULE_VERSION_PATTERN = re.compile(r'[^#]*\bversion\s*=\s*"(?P=|!=|>=|>|<=|<|~>\s*)?(?P[\d.]+-?\w*)"') class ModuleDownload: def __init__(self, source_dir: str) -> None: self.source_dir = source_dir + self.address: str | None = None + self.module_name: str | None = None self.module_link: str | None = None + self.tf_managed = False self.version: str | None = None def __str__(self) -> str: return f"{self.source_dir} -> {self.module_link} ({self.version})" - @property - def address(self) -> str: - return f'{self.module_link}:{self.version}' - def find_modules(path: str) -> List[ModuleDownload]: modules_found: list[ModuleDownload] = [] @@ -34,6 +37,9 @@ def find_modules(path: str) -> List[ModuleDownload]: for file_name in full_file_names: if not file_name.endswith('.tf'): continue + if root.startswith(os.path.join(path, ".terraform", "modules")): + # don't scan the modules folder used by Terraform + continue try: content = read_file_with_any_encoding(file_path=os.path.join(path, root, file_name)) @@ -46,12 +52,19 @@ def find_modules(path: str) -> List[ModuleDownload]: if not curr_md: if line.startswith('module'): curr_md = ModuleDownload(os.path.dirname(os.path.join(root, file_name))) + + # also extract the name for easier mapping against the TF modules.json file + match = re.match(MODULE_NAME_PATTERN, line) + if match: + curr_md.module_name = match.group("name") + continue else: if line.startswith('}'): if curr_md.module_link is None: logging.warning(f'A module at {curr_md.source_dir} had no source, skipping') else: + curr_md.address = f"{curr_md.module_link}:{curr_md.version}" modules_found.append(curr_md) curr_md = None continue @@ -93,8 +106,13 @@ def _download_module(m: ModuleDownload) -> bool: if should_download_module(m.module_link): logging.info(f'Downloading module {m.address}') try: - content = module_loader_registry.load(m.source_dir, m.module_link, - "latest" if not m.version else m.version) + content = module_loader_registry.load( + current_dir=m.source_dir, + source=m.module_link, + source_version="latest" if not m.version else m.version, + module_address=m.address, + tf_managed=m.tf_managed, + ) if content is None or not content.loaded(): log_message = f'Failed to download module {m.address}' if not module_loader_registry.download_external_modules: @@ -109,12 +127,59 @@ def _download_module(m: ModuleDownload) -> bool: # To avoid duplicate work, we need to get the distinct module sources distinct_modules = list({m.address: m for m in modules_to_load}.values()) + replaced_modules = replace_terraform_managed_modules(path=path, found_modules=distinct_modules) + if run_parallel: - list(parallel_runner.run_function(_download_module, distinct_modules)) + list(parallel_runner.run_function(_download_module, replaced_modules)) else: - logging.info(f"Starting download of modules of length {len(distinct_modules)}") - for m in distinct_modules: + logging.info(f"Starting download of modules of length {len(replaced_modules)}") + for m in replaced_modules: success = _download_module(m) if not success and stop_on_failure: logging.info(f"Stopping downloading of modules due to failed attempt on {m.address}") break + + +def replace_terraform_managed_modules(path: str, found_modules: list[ModuleDownload]) -> list[ModuleDownload]: + """Replaces modules by Terraform managed ones to prevent addtional downloading + + It can't handle nested modules yet, ex. + { + "Key": "parent_module.child_module", + "Source": "./child_module", + "Dir": "parent_module/child_module" + } + """ + + if not convert_str_to_bool(os.getenv("CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES", False)): + return found_modules + + # file used by Terraform internally to map modules to the downloaded path + tf_modules_file = Path(path) / ".terraform/modules/modules.json" + if not tf_modules_file.exists(): + return found_modules + + # create Key (module name) to module detail map for faster querying + tf_modules = { + module["Key"]: module + for module in json.loads(tf_modules_file.read_bytes())["Modules"] + } + + replaced_modules: list[ModuleDownload] = [] + for module in found_modules: + if module.module_name in tf_modules: + tf_module = tf_modules[module.module_name] + + module_new = ModuleDownload(source_dir=path) + # if version is 'None' then set it to latest in the address, so it can be mapped properly later on + module_new.address = f"{module.module_link}:latest" if module.version is None else module.address + module_new.module_link = tf_module["Dir"] + module_new.module_name = module.module_name + module_new.tf_managed = True + module_new.version = module.version + + replaced_modules.append(module_new) + else: + replaced_modules.append(module) + + return replaced_modules diff --git a/checkov/terraform/module_loading/module_params.py b/checkov/terraform/module_loading/module_params.py index 1b5976f6d33..30abd6ed718 100644 --- a/checkov/terraform/module_loading/module_params.py +++ b/checkov/terraform/module_loading/module_params.py @@ -4,8 +4,17 @@ @dataclass class ModuleParams: - def __init__(self, root_dir: str, current_dir: str, source: str, source_version: Optional[str], dest_dir: str, - external_modules_folder_name: str, inner_module: Optional[str] = None): + def __init__( + self, + root_dir: str, + current_dir: str, + source: str, + source_version: Optional[str], + dest_dir: str, + external_modules_folder_name: str, + inner_module: Optional[str] = None, + tf_managed: bool = False, + ): self.root_dir: str = root_dir self.current_dir: str = current_dir self.module_source: str = source @@ -13,6 +22,7 @@ def __init__(self, root_dir: str, current_dir: str, source: str, source_version: self.dest_dir: str = dest_dir self.external_modules_folder_name: str = external_modules_folder_name self.inner_module: Optional[str] = inner_module + self.tf_managed = tf_managed self.token: Optional[str] = None self.username: Optional[str] = None diff --git a/checkov/terraform/module_loading/registry.py b/checkov/terraform/module_loading/registry.py index 39ee5088881..5b6eca9a706 100644 --- a/checkov/terraform/module_loading/registry.py +++ b/checkov/terraform/module_loading/registry.py @@ -28,7 +28,14 @@ def __init__( self.failed_urls_cache: Set[str] = set() self.root_dir = "" # root dir for storing external modules - def load(self, current_dir: str, source: str | None, source_version: Optional[str]) -> ModuleContent | None: + def load( + self, + current_dir: str, + source: str | None, + source_version: str | None, + module_address: str | None = None, + tf_managed: bool = False, + ) -> ModuleContent | None: """ Search all registered loaders for the first one which is able to load the module source type. For more information, see `loader.ModuleLoader.load`. @@ -36,7 +43,8 @@ def load(self, current_dir: str, source: str | None, source_version: Optional[st if source is None: return None - module_address = f'{source}:{source_version}' + if module_address is None: + module_address = f'{source}:{source_version}' if module_address in self.module_content_cache: logging.debug(f'Used the cache for module {module_address}') return self.module_content_cache[module_address] @@ -59,17 +67,22 @@ def load(self, current_dir: str, source: str | None, source_version: Optional[st next_url = "" if source in self.failed_urls_cache: break + logging.info(f"Iterating over {len(self.loaders)} loaders") for loader in self.loaders: if not self.download_external_modules and loader.is_external: continue try: - module_params = ModuleParams(root_dir=self.root_dir, - current_dir=current_dir, - source=source, - source_version=source_version, - dest_dir=local_dir, - external_modules_folder_name=self.external_modules_folder_name, - inner_module=inner_module) + module_params = ModuleParams( + root_dir=self.root_dir, + current_dir=current_dir, + source=source, + source_version=source_version, + dest_dir=local_dir, + external_modules_folder_name=self.external_modules_folder_name, + inner_module=inner_module, + tf_managed=tf_managed, + ) + logging.info(f"Attempting loading via {loader.__class__} loader") content = loader.load(module_params) except Exception as e: logging.warning(f'Module {module_address} failed to load via {loader.__class__}') @@ -99,7 +112,8 @@ def load(self, current_dir: str, source: str | None, source_version: Optional[st return content def register(self, loader: "ModuleLoader") -> None: - self.loaders.append(loader) + if loader not in self.loaders: + self.loaders.append(loader) def reset_module_content_cache(self) -> None: self.module_content_cache = {} diff --git a/checkov/terraform/modules/module_objects.py b/checkov/terraform/modules/module_objects.py index 80fdef5c924..4082709b6c0 100644 --- a/checkov/terraform/modules/module_objects.py +++ b/checkov/terraform/modules/module_objects.py @@ -1,23 +1,16 @@ from __future__ import annotations import json from collections.abc import Iterator -from typing import Optional, Any +from dataclasses import dataclass +from typing import Any +@dataclass(frozen=True) class TFModule: - __slots__ = ("path", "name", "foreach_idx", "nested_tf_module") - - def __init__(self, path: str, name: str | None, nested_tf_module: Optional[TFModule] = None, - foreach_idx: Optional[int | str] = None) -> None: - self.path = path - self.name = name - self.foreach_idx = foreach_idx - self.nested_tf_module = nested_tf_module - - def __eq__(self, other: Any) -> bool: - if not isinstance(other, TFModule): - return False - return self.path == other.path and self.name == other.name and self.nested_tf_module == other.nested_tf_module and self.foreach_idx == other.foreach_idx + path: str + name: str | None + nested_tf_module: TFModule | None = None + foreach_idx: int | str | None = None def __lt__(self, other: Any) -> bool: if not isinstance(other, TFModule): @@ -28,9 +21,6 @@ def __lt__(self, other: Any) -> bool: def __repr__(self) -> str: return f'path:{self.path}, name:{self.name}, nested_tf_module:{self.nested_tf_module}, foreach_idx:{self.foreach_idx}' - def __hash__(self) -> int: - return hash((self.path, self.name, self.nested_tf_module, self.foreach_idx)) - def __iter__(self) -> Iterator[tuple[str, Any]]: yield from { "path": self.path, @@ -50,17 +40,10 @@ def from_json(json_dct: dict[str, Any]) -> TFModule | None: 'nested_tf_module') else None) if json_dct else None +@dataclass(frozen=True) class TFDefinitionKey: - __slots__ = ("tf_source_modules", "file_path") - - def __init__(self, file_path: str, tf_source_modules: Optional[TFModule] = None) -> None: - self.tf_source_modules = tf_source_modules - self.file_path = file_path - - def __eq__(self, other: Any) -> bool: - if not isinstance(other, TFDefinitionKey): - return False - return self.tf_source_modules == other.tf_source_modules and self.file_path == other.file_path + file_path: str + tf_source_modules: TFModule | None = None def __lt__(self, other: Any) -> bool: if not isinstance(other, TFDefinitionKey): @@ -70,9 +53,6 @@ def __lt__(self, other: Any) -> bool: def __repr__(self) -> str: return f'tf_source_modules:{self.tf_source_modules}, file_path:{self.file_path}' - def __hash__(self) -> int: - return hash((self.file_path, self.tf_source_modules)) - def __iter__(self) -> Iterator[tuple[str, Any]]: yield from { "file_path": self.file_path, diff --git a/checkov/terraform/parser_functions.py b/checkov/terraform/parser_functions.py index 1778cc9fcd9..16889e8b381 100644 --- a/checkov/terraform/parser_functions.py +++ b/checkov/terraform/parser_functions.py @@ -5,6 +5,7 @@ from collections.abc import Hashable from typing import Dict, List, Union, Any, Callable +from checkov.common.util.data_structures_utils import pickle_deepcopy from checkov.common.util.type_forcers import convert_str_to_bool from checkov.common.util.parser_utils import eval_string, split_merge_args, string_to_native, to_string @@ -199,7 +200,16 @@ def process_dynamic_values(conf: Dict[str, List[Any]]) -> bool: for element_name, element_value in dynamic_element.items(): if "content" in element_value: - conf[element_name] = element_value["content"] + if element_name in conf: + if not isinstance(conf[element_name], list): + conf[element_name] = [conf[element_name]] + if isinstance(element_value["content"], list): + conf[element_name].extend(element_value["content"]) + else: + conf[element_name].append(element_value["content"]) + + else: + conf[element_name] = pickle_deepcopy(element_value["content"]) else: # this should be the result of a successful dynamic block rendering # in some cases a whole dict is added, which doesn't have a list around it diff --git a/checkov/terraform/plan_parser.py b/checkov/terraform/plan_parser.py index 33fe2ad267f..576a651d358 100644 --- a/checkov/terraform/plan_parser.py +++ b/checkov/terraform/plan_parser.py @@ -25,6 +25,7 @@ "aws_iam_group_policy": "policy", "aws_iam_user_policy": "policy", "aws_ssoadmin_permission_set_inline_policy": "inline_policy", + "azurerm_portal_dashboard": "dashboard_properties", } diff --git a/checkov/terraform/plan_runner.py b/checkov/terraform/plan_runner.py index bd0892250d5..566329efbff 100644 --- a/checkov/terraform/plan_runner.py +++ b/checkov/terraform/plan_runner.py @@ -3,10 +3,10 @@ import logging import os import platform - -from typing import Type, Optional, Any - import pathlib +from typing import Type, Optional, Any, cast + +from typing_extensions import TypeAlias # noqa[TC002] from checkov.common.graph.checks_infra.registry import BaseRegistry from checkov.common.typing import LibraryGraphConnector, TFDefinitionKeyType @@ -21,17 +21,18 @@ from checkov.common.util.secrets import omit_secret_value_from_checks from checkov.common.bridgecrew.check_type import CheckType -from checkov.common.output.report import Report -from checkov.common.runners.base_runner import CHECKOV_CREATE_GRAPH +from checkov.common.output.report import Report, merge_reports from checkov.runner_filter import RunnerFilter +from checkov.terraform.base_runner import BaseTerraformRunner from checkov.terraform.checks.data.registry import data_registry from checkov.terraform.checks.resource.registry import resource_registry from checkov.terraform.context_parsers.registry import parser_registry from checkov.terraform.plan_parser import TF_PLAN_RESOURCE_ADDRESS from checkov.terraform.plan_utils import create_definitions, build_definitions_context -from checkov.terraform.runner import Runner as TerraformRunner, merge_reports from checkov.terraform.deep_analysis_plan_graph_manager import DeepAnalysisGraphManager +_TerraformPlanContext: TypeAlias = "dict[str, dict[str, Any]]" +_TerraformPlanDefinitions: TypeAlias = "dict[str, dict[str, Any]]" # set of check IDs with lifecycle condition TF_LIFECYCLE_CHECK_IDS = { @@ -67,7 +68,7 @@ } -class Runner(TerraformRunner): +class Runner(BaseTerraformRunner[_TerraformPlanDefinitions, _TerraformPlanContext, str]): check_type = CheckType.TERRAFORM_PLAN # noqa: CCE003 # a static attribute def __init__(self, graph_class: Type[TerraformLocalGraph] = TerraformLocalGraph, @@ -83,12 +84,12 @@ def __init__(self, graph_class: Type[TerraformLocalGraph] = TerraformLocalGraph, source=source, ) self.file_extensions = ['.json'] # override what gets set from the TF runner - self.definitions = None - self.context = None - self.graph_registry = get_graph_checks_registry(super().check_type) + self.definitions: _TerraformPlanDefinitions | None = None + self.context: _TerraformPlanContext | None = None + self.graph_registry = get_graph_checks_registry(check_type=CheckType.TERRAFORM) self.deep_analysis = False - self.repo_root_for_plan_enrichment = [] - self.tf_plan_local_graph = None + self.repo_root_for_plan_enrichment: str | None = None + self.tf_plan_local_graph: TerraformLocalGraph | None = None block_type_registries = { # noqa: CCE003 # a static attribute 'resource': resource_registry, @@ -115,22 +116,22 @@ def run( if self.definitions is None or self.context is None: self.definitions, definitions_raw = create_definitions(root_folder, files, runner_filter, parsing_errors) self.context = build_definitions_context(self.definitions, definitions_raw) - if CHECKOV_CREATE_GRAPH: - self.tf_plan_local_graph = self.graph_manager.build_graph_from_definitions(self.definitions, render_variables=False) - for vertex in self.tf_plan_local_graph.vertices: - if vertex.block_type == BlockType.RESOURCE: - address = vertex.attributes.get(CustomAttributes.TF_RESOURCE_ADDRESS) - report.add_resource(f'{vertex.path}:{address}') - self.graph_manager.save_graph(self.tf_plan_local_graph) - if self._should_run_deep_analysis: - tf_local_graph = self._create_terraform_graph(runner_filter) + self.tf_plan_local_graph = self.graph_manager.build_graph_from_definitions(self.definitions, render_variables=False) + for vertex in self.tf_plan_local_graph.vertices: + if vertex.block_type == BlockType.RESOURCE: + address = vertex.attributes.get(CustomAttributes.TF_RESOURCE_ADDRESS) + report.add_resource(f'{vertex.path}:{address}') + self.graph_manager.save_graph(self.tf_plan_local_graph) + if self._should_run_deep_analysis: + tf_local_graph = self._create_terraform_graph(runner_filter) if external_checks_dir: for directory in external_checks_dir: resource_registry.load_external_checks(directory) self.graph_registry.load_external_checks(directory) if not root_folder: - root_folder = os.path.split(os.path.commonprefix(files))[0] + # 'root_folder' and 'files' can't be both empty + root_folder = os.path.split(os.path.commonprefix(files))[0] # type:ignore[arg-type] self.check_tf_definition(report, root_folder, runner_filter) report.add_parsing_errors(parsing_errors.keys()) @@ -156,7 +157,7 @@ def run( return report @staticmethod - def _extend_resource_attributes_to_omit(runner_filter: RunnerFilter): + def _extend_resource_attributes_to_omit(runner_filter: RunnerFilter) -> None: for k, v in RESOURCE_ATTRIBUTES_TO_OMIT.items(): # It's ok as runner_filter is ALWAYS default dict with set() as value runner_filter.resource_attr_to_omit[k].update(v) @@ -167,7 +168,7 @@ def _get_graph_report( runner_filter: RunnerFilter, tf_local_graph: Optional[TerraformLocalGraph] ) -> Report: - if self._should_run_deep_analysis and tf_local_graph: + if self._should_run_deep_analysis and tf_local_graph and self.tf_plan_local_graph: deep_analysis_graph_manager = DeepAnalysisGraphManager(tf_local_graph, self.tf_plan_local_graph) deep_analysis_graph_manager.enrich_tf_graph_attributes() self.graph_manager.save_graph(tf_local_graph) @@ -176,17 +177,22 @@ def _get_graph_report( return graph_report return self.get_graph_checks_report(root_folder, runner_filter) - def _create_terraform_graph(self, runner_filter) -> TerraformLocalGraph: + def _create_terraform_graph(self, runner_filter: RunnerFilter) -> TerraformLocalGraph: graph_manager = TerraformGraphManager(db_connector=self.db_connector) tf_local_graph, _ = graph_manager.build_graph_from_source_directory( - self.repo_root_for_plan_enrichment, + self.repo_root_for_plan_enrichment, # type:ignore[arg-type] # can't be 'None' at this point render_variables=True, download_external_modules=runner_filter.download_external_modules ) self.graph_manager = graph_manager return tf_local_graph - def check_tf_definition(self, report, root_folder, runner_filter, collect_skip_comments=True): + def check_tf_definition( + self, report: Report, root_folder: str, runner_filter: RunnerFilter, collect_skip_comments: bool = True + ) -> None: + if not self.definitions: + return + for full_file_path, definition in self.definitions.items(): full_file_path, scanned_file = self._get_file_path(full_file_path, root_folder) logging.debug(f"Scanning file: {scanned_file}") @@ -207,11 +213,20 @@ def _get_file_path(full_file_path: TFDefinitionKeyType, root_folder: str | pathl scanned_file = f"/{os.path.relpath(full_file_path, root_folder)}" return full_file_path, scanned_file - def run_block(self, entities, - definition_context, - full_file_path, root_folder, report, scanned_file, - block_type, runner_filter=None, entity_context_path_header=None, - module_referrer: str | None = None): + def run_block( + self, + entities: list[dict[str, Any]], + definition_context: _TerraformPlanContext | None, + full_file_path: str, + root_folder: str, + report: Report, + scanned_file: str, + block_type: str, + runner_filter: RunnerFilter | None = None, + entity_context_path_header: str | None = None, + module_referrer: str | None = None, + ) -> None: + runner_filter = runner_filter or RunnerFilter() registry = self.block_type_registries[block_type] if registry: for entity in entities: @@ -219,9 +234,9 @@ def run_block(self, entities, definition_path = context_parser.get_entity_context_path(entity) # Entity can exist only once per dir, for file as well entity_context = self.get_entity_context(definition_path, full_file_path, entity) - entity_lines_range = [entity_context.get('start_line'), entity_context.get('end_line')] - entity_code_lines = entity_context.get('code_lines') - entity_address = entity_context.get('address') + entity_lines_range = [entity_context.get('start_line', 1), entity_context.get('end_line', 1)] + entity_code_lines = entity_context.get('code_lines', []) + entity_address = entity_context['address'] _, _, entity_config = registry.extract_entity_details(entity) results = registry.scan(scanned_file, entity, [], runner_filter, report_type=CheckType.TERRAFORM_PLAN) @@ -256,21 +271,29 @@ def run_block(self, entities, report.add_record(record=record) def get_entity_context_and_evaluations(self, entity: dict[str, Any]) -> dict[str, Any] | None: + if not self.context: + return None + entity_id = entity[TF_PLAN_RESOURCE_ADDRESS] - raw_context = self.context.get(entity[CustomAttributes.FILE_PATH], {}).get(entity_id) + raw_context: dict[str, Any] | None = self.context.get(entity[CustomAttributes.FILE_PATH], {}).get(entity_id) if raw_context: raw_context['definition_path'] = entity[CustomAttributes.BLOCK_NAME].split('.') return raw_context - def get_entity_context(self, definition_path, full_file_path, entity): + def get_entity_context( + self, definition_path: list[str], full_file_path: str, entity: dict[str, Any] + ) -> dict[str, Any]: + if not self.context: + return {} + if len(definition_path) > 1: resource_type = definition_path[0] resource_name = definition_path[1] entity_id = entity.get(resource_type, {}).get(resource_name, {}).get(TF_PLAN_RESOURCE_ADDRESS) else: entity_id = definition_path[0] - return self.context.get(full_file_path, {}).get(entity_id) + return cast("dict[str, Any]", self.context.get(full_file_path, {}).get(entity_id, {})) @property def _should_run_deep_analysis(self) -> bool: - return self.deep_analysis and self.repo_root_for_plan_enrichment and self.tf_plan_local_graph + return bool(self.deep_analysis and self.repo_root_for_plan_enrichment and self.tf_plan_local_graph) diff --git a/checkov/terraform/plan_utils.py b/checkov/terraform/plan_utils.py index 8b9bafa0426..d2003662555 100644 --- a/checkov/terraform/plan_utils.py +++ b/checkov/terraform/plan_utils.py @@ -14,7 +14,7 @@ def create_definitions( - root_folder: str, + root_folder: str | None, files: list[str] | None = None, runner_filter: RunnerFilter | None = None, out_parsing_errors: dict[str, str] | None = None, diff --git a/checkov/terraform/runner.py b/checkov/terraform/runner.py index 2a276c39c7b..8658bc4ad40 100644 --- a/checkov/terraform/runner.py +++ b/checkov/terraform/runner.py @@ -3,65 +3,46 @@ import dataclasses import logging import os -import platform -from typing import Dict, Optional, Any, Set, TYPE_CHECKING +from typing import Any, TYPE_CHECKING, Optional -import dpath -import igraph from typing_extensions import TypeAlias # noqa[TC002] -from checkov.common.checks_infra.registry import get_graph_checks_registry +from checkov.common.bridgecrew.check_type import CheckType from checkov.common.graph.checks_infra.registry import BaseRegistry from checkov.common.graph.graph_builder.consts import GraphSource -from checkov.common.images.image_referencer import ImageReferencerMixin from checkov.common.output.extra_resource import ExtraResource from checkov.common.parallelizer.parallel_runner import parallel_runner -from checkov.common.models.enums import CheckResult from checkov.common.output.graph_record import GraphRecord from checkov.common.output.record import Record from checkov.common.output.report import Report, merge_reports, remove_duplicate_results -from checkov.common.bridgecrew.check_type import CheckType -from checkov.common.runners.base_runner import BaseRunner, CHECKOV_CREATE_GRAPH from checkov.common.util import data_structures_utils from checkov.common.util.consts import RESOLVED_MODULE_ENTRY_NAME -from checkov.common.util.data_structures_utils import pickle_deepcopy from checkov.terraform import get_module_from_full_path, get_module_name, get_abs_path -from checkov.common.util.secrets import omit_secret_value_from_checks, omit_secret_value_from_graph_checks -from checkov.common.variables.context import EvaluationContext +from checkov.common.util.secrets import omit_secret_value_from_checks from checkov.runner_filter import RunnerFilter +from checkov.terraform.base_runner import BaseTerraformRunner +from checkov.terraform.graph_manager import TerraformGraphManager from checkov.terraform.modules.module_objects import TFDefinitionKey, TFModule -from checkov.terraform.checks.data.registry import data_registry -from checkov.terraform.checks.module.registry import module_registry -from checkov.terraform.checks.provider.registry import provider_registry -from checkov.terraform.checks.resource.registry import resource_registry from checkov.terraform.context_parsers.registry import parser_registry from checkov.terraform.evaluation.base_variable_evaluation import BaseVariableEvaluation from checkov.common.graph.graph_builder.graph_components.attribute_names import CustomAttributes from checkov.terraform.graph_builder.graph_components.block_types import BlockType from checkov.terraform.graph_builder.graph_to_tf_definitions import convert_graph_vertices_to_tf_definitions from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph -from checkov.terraform.graph_manager import TerraformGraphManager -from checkov.terraform.image_referencer.manager import TerraformImageReferencerManager -from checkov.terraform.tf_parser import TFParser from checkov.terraform.tag_providers import get_resource_tags from checkov.common.runners.base_runner import strtobool +from checkov.terraform.tf_parser import TFParser if TYPE_CHECKING: - from networkx import DiGraph - from checkov.common.checks_infra.registry import Registry - from checkov.common.images.image_referencer import Image - from checkov.common.typing import LibraryGraphConnector, _SkippedCheck, LibraryGraph + from checkov.common.typing import _SkippedCheck, LibraryGraph, LibraryGraphConnector _TerraformContext: TypeAlias = "dict[TFDefinitionKey, dict[str, Any]]" _TerraformDefinitions: TypeAlias = "dict[TFDefinitionKey, dict[str, Any]]" -# Allow the evaluation of empty variables -dpath.options.ALLOW_EMPTY_STRING_KEYS = True - -CHECK_BLOCK_TYPES = frozenset(['resource', 'data', 'provider', 'module']) +CHECK_BLOCK_TYPES = frozenset(["resource", "data", "provider", "module"]) -class Runner(ImageReferencerMixin[None], BaseRunner[_TerraformDefinitions, _TerraformContext, TerraformGraphManager]): +class Runner(BaseTerraformRunner[_TerraformDefinitions, _TerraformContext, TFDefinitionKey]): check_type = CheckType.TERRAFORM # noqa: CCE003 # a static attribute def __init__( @@ -71,39 +52,18 @@ def __init__( external_registries: list[BaseRegistry] | None = None, source: str = GraphSource.TERRAFORM, graph_class: type[TerraformLocalGraph] = TerraformLocalGraph, - graph_manager: TerraformGraphManager | None = None + graph_manager: TerraformGraphManager | None = None, ) -> None: - super().__init__(file_extensions=['.tf', '.hcl']) - self.external_registries = [] if external_registries is None else external_registries - self.graph_class = graph_class - self.parser = parser or TFParser() - self.definitions: _TerraformDefinitions | None = None - self.context: _TerraformContext | None = None - self.breadcrumbs = None - self.evaluations_context: Dict[TFDefinitionKey, Dict[str, EvaluationContext]] = {} - self.graph_manager: TerraformGraphManager = graph_manager if graph_manager is not None else TerraformGraphManager( - source=source, - db_connector=db_connector or self.db_connector, - ) - self.graph_registry: Registry = get_graph_checks_registry(self.check_type) - self.definitions_with_modules: dict[str, dict[str, Any]] = {} - self.referrer_cache: Dict[str, str] = {} - self.non_referred_cache: Set[str] = set() - - block_type_registries = { # noqa: CCE003 # a static attribute - 'resource': resource_registry, - 'data': data_registry, - 'provider': provider_registry, - 'module': module_registry, - } + super().__init__(parser, db_connector, external_registries, source, graph_class, graph_manager) + self.all_graphs: list[tuple[LibraryGraph, Optional[str]]] = [] def run( - self, - root_folder: str | None, - external_checks_dir: list[str] | None = None, - files: list[str] | None = None, - runner_filter: RunnerFilter | None = None, - collect_skip_comments: bool = True + self, + root_folder: str | None, + external_checks_dir: list[str] | None = None, + files: list[str] | None = None, + runner_filter: RunnerFilter | None = None, + collect_skip_comments: bool = True, ) -> Report | list[Report]: runner_filter = runner_filter or RunnerFilter() if not runner_filter.show_progress_bar: @@ -112,16 +72,14 @@ def run( report = Report(self.check_type) parsing_errors: dict[str, Exception] = {} self.load_external_checks(external_checks_dir) - local_graph = None - all_graphs: list[LibraryGraph] = [] if self.context is None or self.definitions is None or self.breadcrumbs is None: self.definitions = {} logging.info("Scanning root folder and producing fresh tf_definitions and context") - tf_split_graph = strtobool(os.getenv('TF_SPLIT_GRAPH', 'False')) + tf_split_graph = strtobool(os.getenv("TF_SPLIT_GRAPH", "False")) if root_folder: root_folder = os.path.abspath(root_folder) if tf_split_graph: - graphs_with_definitions = self.graph_manager.build_multi_graph_from_source_directory( + graphs_with_definitions, self.resource_subgraph_map = self.graph_manager.build_multi_graph_from_source_directory( source_dir=root_folder, local_graph_class=self.graph_class, download_external_modules=runner_filter.download_external_modules, @@ -129,13 +87,12 @@ def run( parsing_errors=parsing_errors, excluded_paths=runner_filter.excluded_paths, vars_files=runner_filter.var_files, - create_graph=CHECKOV_CREATE_GRAPH, ) - local_graph = [] - for graph, definitions in graphs_with_definitions: + local_graphs: list[tuple[str | None, TerraformLocalGraph]] = [] + for graph, definitions, subgraph_path in graphs_with_definitions: for definition in definitions: self.definitions.update(definition) - local_graph.append(graph) + local_graphs.append((subgraph_path, graph)) else: single_graph, self.definitions = self.graph_manager.build_graph_from_source_directory( source_dir=root_folder, @@ -145,26 +102,27 @@ def run( parsing_errors=parsing_errors, excluded_paths=runner_filter.excluded_paths, vars_files=runner_filter.var_files, - create_graph=CHECKOV_CREATE_GRAPH, ) # Make graph a list to allow single processing method for all cases - local_graph = [single_graph] + local_graphs = [(None, single_graph)] elif files: files = [os.path.abspath(file) for file in files] root_folder = os.path.split(os.path.commonprefix(files))[0] self._parse_files(files, parsing_errors) - if CHECKOV_CREATE_GRAPH: - if tf_split_graph: - local_graph = self.graph_manager.build_multi_graph_from_definitions(self.definitions) # type:ignore[assignment] # will be fixed after removing 'CHECKOV_CREATE_GRAPH' - else: - # local_graph needs to be a list to allow supporting multi graph - local_graph = [self.graph_manager.build_graph_from_definitions(self.definitions)] + if tf_split_graph: + local_graphs = self.graph_manager.build_multi_graph_from_definitions(self.definitions) + else: + # local_graph needs to be a list to allow supporting multi graph + local_graphs = [(None, self.graph_manager.build_graph_from_definitions(self.definitions))] else: raise Exception("Root directory was not specified, files were not specified") - if CHECKOV_CREATE_GRAPH and local_graph: - self._update_definitions_and_breadcrumbs(all_graphs, local_graph, report, root_folder) # type:ignore[arg-type] # will be fixed after removing 'CHECKOV_CREATE_GRAPH' + if local_graphs: + self._update_definitions_and_breadcrumbs( + local_graphs, + report, + root_folder) else: logging.info("Scanning root folder using existing tf_definitions") if root_folder is None: @@ -176,14 +134,13 @@ def run( report.add_parsing_errors(parsing_errors.keys()) - if CHECKOV_CREATE_GRAPH: - if all_graphs: - for igraph_graph in all_graphs: - graph_report = self.get_graph_checks_report(root_folder, runner_filter, graph=igraph_graph) - merge_reports(report, graph_report) - else: - graph_report = self.get_graph_checks_report(root_folder, runner_filter) + if self.all_graphs: + for igraph_graph, _ in self.all_graphs: + graph_report = self.get_graph_checks_report(root_folder, runner_filter, graph=igraph_graph) merge_reports(report, graph_report) + else: + graph_report = self.get_graph_checks_report(root_folder, runner_filter) + merge_reports(report, graph_report) report = remove_duplicate_results(report) @@ -200,18 +157,43 @@ def run( return report + def _parse_files(self, files: list[str], parsing_errors: dict[str, Exception]) -> None: + if self.definitions is None: + # just make sure it is not 'None' + self.definitions = {} + + def parse_file(file: str) -> tuple[str, dict[str, Any] | None, dict[str, Exception]] | None: + if not (file.endswith(".tf") or file.endswith(".hcl")): + return None + file_parsing_errors: dict[str, Exception] = {} + parse_result = self.parser.parse_file(file=file, parsing_errors=file_parsing_errors) + # the exceptions type can un-pickleable so we need to cast them to Exception + for path, e in file_parsing_errors.items(): + file_parsing_errors[path] = Exception(e.__repr__()) + return file, parse_result, file_parsing_errors + + results = parallel_runner.run_function(parse_file, files) + for result in results: + if result: + file, parse_result, file_parsing_errors = result + if parse_result is not None: + self.definitions[TFDefinitionKey(file_path=file)] = parse_result + if file_parsing_errors: + parsing_errors.update(file_parsing_errors) + def _update_definitions_and_breadcrumbs( - self, all_graphs: list[LibraryGraph], local_graph: list[TerraformLocalGraph], report: Report, root_folder: str + self, local_graphs: list[tuple[Optional[str], TerraformLocalGraph]], report: Report, root_folder: str ) -> None: self.definitions = {} self.breadcrumbs = {} - for graph in local_graph: + self.all_graphs = [] + for subgraph_path, graph in local_graphs: for vertex in graph.vertices: if vertex.block_type == BlockType.RESOURCE: vertex_id = vertex.attributes.get(CustomAttributes.TF_RESOURCE_ADDRESS) - report.add_resource(f'{vertex.path}:{vertex_id}') + report.add_resource(f"{vertex.path}:{vertex_id}") igraph_graph = self.graph_manager.save_graph(graph) - all_graphs.append(igraph_graph) + self.all_graphs.append((igraph_graph, subgraph_path)) current_definitions, current_breadcrumbs = convert_graph_vertices_to_tf_definitions( graph.vertices, root_folder, @@ -219,121 +201,6 @@ def _update_definitions_and_breadcrumbs( self.definitions.update(current_definitions) self.breadcrumbs.update(current_breadcrumbs) - def load_external_checks(self, external_checks_dir: list[str] | None) -> None: - if external_checks_dir: - for directory in external_checks_dir: - resource_registry.load_external_checks(directory) - self.graph_registry.load_external_checks(directory) - - def get_connected_node(self, entity: dict[str, Any], root_folder: str) -> Optional[Dict[str, Any]]: - connected_entity = entity.get('connected_node') - if not connected_entity: - return None - connected_entity_context = self.get_entity_context_and_evaluations(connected_entity) - if not connected_entity_context: - return None - full_file_path = connected_entity[CustomAttributes.FILE_PATH] - connected_node_data = {} - connected_node_data['code_block'] = connected_entity_context.get('code_lines') - connected_node_data['file_path'] = f"{os.sep}{os.path.relpath(full_file_path, root_folder)}" - connected_node_data['file_line_range'] = [connected_entity_context.get('start_line'), - connected_entity_context.get('end_line')] - connected_node_data['resource'] = ".".join(connected_entity_context['definition_path']) - connected_node_data['entity_tags'] = connected_entity.get('tags', {}) - connected_node_data['evaluations'] = None - connected_node_data['file_abs_path'] = os.path.abspath(full_file_path) - connected_node_data['resource_address'] = connected_entity_context.get('address') - return connected_node_data - - def get_graph_checks_report(self, root_folder: str, runner_filter: RunnerFilter, graph: igraph.Graph | None = None) -> Report: - report = Report(self.check_type) - checks_results = self.run_graph_checks_results(runner_filter, self.check_type, graph) - - for check, check_results in checks_results.items(): - for check_result in check_results: - entity = check_result['entity'] - entity_context = self.get_entity_context_and_evaluations(entity) - if entity_context: - full_file_path = entity[CustomAttributes.FILE_PATH] - copy_of_check_result = pickle_deepcopy(check_result) - for skipped_check in entity_context.get('skipped_checks', []): - if skipped_check['id'] == check.id: - copy_of_check_result['result'] = CheckResult.SKIPPED - copy_of_check_result['suppress_comment'] = skipped_check['suppress_comment'] - break - copy_of_check_result['entity'] = entity[CustomAttributes.CONFIG] - connected_node_data = self.get_connected_node(entity, root_folder) - if platform.system() == "Windows": - root_folder = os.path.split(full_file_path)[0] - resource_id = ".".join(entity_context['definition_path']) - resource = resource_id - definition_context_file_path = full_file_path - if entity.get(CustomAttributes.TF_RESOURCE_ADDRESS) and entity.get(CustomAttributes.TF_RESOURCE_ADDRESS) != resource_id: - # for plan resources - resource = entity[CustomAttributes.TF_RESOURCE_ADDRESS] - entity_config = self.get_graph_resource_entity_config(entity) - censored_code_lines = omit_secret_value_from_graph_checks( - check=check, - check_result=check_result, - entity_code_lines=entity_context.get('code_lines', []), - entity_config=entity_config, - resource_attributes_to_omit=runner_filter.resource_attr_to_omit - ) - record = Record( - check_id=check.id, - bc_check_id=check.bc_id, - check_name=check.name, - check_result=copy_of_check_result, - code_block=censored_code_lines, - file_path=f"{os.sep}{os.path.relpath(full_file_path, root_folder)}", - file_line_range=[ - entity_context.get('start_line', 1), - entity_context.get('end_line', 1), - ], - resource=resource, - entity_tags=entity.get('tags', {}), - evaluations=None, - check_class=check.__class__.__module__, - file_abs_path=os.path.abspath(full_file_path), - resource_address=entity_context.get('address'), - severity=check.severity, - bc_category=check.bc_category, - benchmarks=check.benchmarks, - connected_node=connected_node_data, - definition_context_file_path=definition_context_file_path - ) - if self.breadcrumbs: - breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(resource) - if breadcrumb: - record = GraphRecord(record, breadcrumb) - record.set_guideline(check.guideline) - report.add_record(record=record) - return report - - def get_entity_context_and_evaluations(self, entity: dict[str, Any]) -> dict[str, Any] | None: - block_type = entity[CustomAttributes.BLOCK_TYPE] - tf_source_module_obj = entity.get(CustomAttributes.SOURCE_MODULE_OBJECT) - if isinstance(tf_source_module_obj, dict): - tf_source_module_obj = TFModule.from_json(tf_source_module_obj) - full_file_path = TFDefinitionKey(file_path=entity[CustomAttributes.FILE_PATH], - tf_source_modules=tf_source_module_obj) - - definition_path = entity[CustomAttributes.BLOCK_NAME].split('.') - entity_context_path = [block_type] + definition_path - try: - entity_context = self.context[full_file_path] # type:ignore[index] # at this point self.context is set - for k in entity_context_path: - if k in entity_context: - entity_context = entity_context[k] - else: - logging.warning(f'Failed to find context for {".".join(entity_context_path)}') - return None - entity_context['definition_path'] = definition_path - except KeyError: - logging.error(f"Did not find context for key {full_file_path}") - return {} - return entity_context - def check_tf_definition( self, report: Report, @@ -355,25 +222,79 @@ def check_tf_definition( definitions=definition_key_tuple, collect_skip_comments=collect_skip_comments ) self.context = definitions_context - logging.debug('Created definitions context') + logging.debug("Created definitions context") self.push_skipped_checks_down_from_modules(self.context) for full_file_path, definition in self.definitions.items(): - self.pbar.set_additional_data({'Current File Scanned': os.path.relpath( - full_file_path.file_path)}) + self.pbar.set_additional_data({"Current File Scanned": os.path.relpath(full_file_path.file_path)}) abs_scanned_file = get_abs_path(full_file_path) abs_referrer = None scanned_file = f"{os.sep}{os.path.relpath(abs_scanned_file, root_folder)}" logging.debug(f"Scanning file: {scanned_file}") - self.run_all_blocks(definition, self.context, full_file_path, root_folder, report, - scanned_file, runner_filter, abs_referrer) + self.run_all_blocks( + definition, self.context, full_file_path, root_folder, report, scanned_file, runner_filter, abs_referrer + ) self.pbar.update() self.pbar.close() + def push_skipped_checks_down_from_modules(self, definition_context: dict[TFDefinitionKey, dict[str, Any]]) -> None: + if not self.definitions: + # no need to proceed + return + + module_context_parser = parser_registry.context_parsers[BlockType.MODULE] + for tf_definition_key, definition in self.definitions.items(): + full_file_path = tf_definition_key + definition_modules_context = definition_context.get(full_file_path, {}).get(BlockType.MODULE, {}) + for entity in definition.get(BlockType.MODULE, []): + module_name = module_context_parser.get_entity_context_path(entity)[0] + skipped_checks = definition_modules_context.get(module_name, {}).get("skipped_checks") + resolved_paths = entity.get(module_name).get(RESOLVED_MODULE_ENTRY_NAME) + self.push_skipped_checks_down(definition_context, skipped_checks, resolved_paths) + + def push_skipped_checks_down( + self, + definition_context: dict[TFDefinitionKey, dict[str, Any]], + skipped_checks: list[_SkippedCheck], + resolved_paths: list[TFDefinitionKey], + ) -> None: + # this method pushes the skipped_checks down the 1 level to all resource types. + if not skipped_checks or not resolved_paths: + return + for ind, definition in enumerate(resolved_paths): + for block_type, block_configs in definition_context.get(definition, {}).items(): + # skip if type is not a Terraform resource + if block_type not in CHECK_BLOCK_TYPES: + continue + + if block_type == "module": + if not self.definitions: + # no need to proceed + continue + + # modules don't have a type, just a name + for module_name, module_config in block_configs.items(): + # append the skipped checks also from a module to another module + module_config["skipped_checks"] += skipped_checks + module_context = next( + m + for m in self.definitions.get(resolved_paths[ind], {}).get(block_type, []) + if module_name in m + ) + recursive_resolved_paths = module_context.get(module_name).get(RESOLVED_MODULE_ENTRY_NAME) + self.push_skipped_checks_down(definition_context, skipped_checks, recursive_resolved_paths) + else: + # there may be multiple resource types - aws_bucket, etc + for resource_configs in block_configs.values(): + # there may be multiple names for each resource type + for resource_config in resource_configs.values(): + # append the skipped checks from the module to the other resources. + resource_config["skipped_checks"] += skipped_checks + def run_all_blocks( self, definition: dict[str, list[dict[str, Any]]], - definitions_context: dict[TFDefinitionKey, dict[str, Any]], + definitions_context: _TerraformContext, full_file_path: TFDefinitionKey, root_folder: str, report: Report, @@ -386,14 +307,23 @@ def run_all_blocks( return block_types = set(definition.keys()) for block_type in block_types & CHECK_BLOCK_TYPES: - self.run_block(definition[block_type], definitions_context, - full_file_path, root_folder, report, - scanned_file, block_type, runner_filter, None, module_referrer) + self.run_block( + definition[block_type], + definitions_context, + full_file_path, + root_folder, + report, + scanned_file, + block_type, + runner_filter, + None, + module_referrer, + ) def run_block( self, entities: list[dict[str, Any]], - definition_context: dict[TFDefinitionKey, dict[str, Any]], + definition_context: _TerraformContext, full_file_path: TFDefinitionKey, root_folder: str, report: Report, @@ -421,18 +351,20 @@ def run_block( if module_full_path: module_name = get_module_name(full_file_path) if not module_name: - full_definition_path = entity_id.split('.') + full_definition_path = entity_id.split(".") try: - module_name_index = len(full_definition_path) - full_definition_path[::-1][1:].index(BlockType.MODULE) - 1 # the next item after the last 'module' prefix is the module name + module_name_index = ( + len(full_definition_path) - full_definition_path[::-1][1:].index(BlockType.MODULE) - 1 + ) # the next item after the last 'module' prefix is the module name except ValueError as e: # TODO handle multiple modules with the same name in repo - logging.warning(f'Failed to get module name for resource {entity_id}. {str(e)}') + logging.warning(f"Failed to get module name for resource {entity_id}. {str(e)}") continue module_name = full_definition_path[module_name_index] caller_context = definition_context[module_full_path].get(BlockType.MODULE, {}).get(module_name) if not caller_context: continue - caller_file_line_range = (caller_context.get('start_line', 1), caller_context.get('end_line', 1)) + caller_file_line_range = (caller_context.get("start_line", 1), caller_context.get("end_line", 1)) abs_caller_file = get_abs_path(module_full_path) caller_file_path = f"{os.sep}{os.path.relpath(abs_caller_file, root_folder)}" @@ -448,9 +380,9 @@ def run_block( definition_context[context_path], entity_context_path, ) - entity_lines_range = [entity_context.get('start_line', 1), entity_context.get('end_line', 1)] - entity_code_lines = entity_context.get('code_lines', []) - skipped_checks = entity_context.get('skipped_checks') + entity_lines_range = [entity_context.get("start_line", 1), entity_context.get("end_line", 1)] + entity_code_lines = entity_context.get("code_lines", []) + skipped_checks = entity_context.get("skipped_checks") except KeyError: # TODO: Context info isn't working for modules entity_lines_range = [1, 1] @@ -461,8 +393,9 @@ def run_block( variables_evaluations = {} for var_name, context_info in self.evaluations_context.get(full_file_path, {}).items(): variables_evaluations[var_name] = dataclasses.asdict(context_info) - entity_evaluations = BaseVariableEvaluation.reduce_entity_evaluations(variables_evaluations, - entity_context_path) + entity_evaluations = BaseVariableEvaluation.reduce_entity_evaluations( + variables_evaluations, entity_context_path + ) results = registry.scan(scanned_file, entity, skipped_checks, runner_filter) absolute_scanned_file_path = get_abs_path(full_file_path) # This duplicates a call at the start of scan, but adding this here seems better than kludging with some tuple return type @@ -474,7 +407,7 @@ def run_block( check_result=check_result, entity_code_lines=entity_code_lines, entity_config=entity_config, - resource_attributes_to_omit=runner_filter.resource_attr_to_omit + resource_attributes_to_omit=runner_filter.resource_attr_to_omit, ) record = Record( @@ -496,9 +429,9 @@ def run_block( bc_category=check.bc_category, benchmarks=check.benchmarks, details=check.details, - definition_context_file_path=full_file_path.file_path + definition_context_file_path=full_file_path.file_path, ) - if CHECKOV_CREATE_GRAPH and self.breadcrumbs: + if self.breadcrumbs: entity_key = entity_id breadcrumb = self.breadcrumbs.get(record.file_path, {}).get(entity_key) if breadcrumb: @@ -517,100 +450,27 @@ def run_block( ) ) - def _parse_files(self, files: list[str], parsing_errors: dict[str, Exception]) -> None: - if self.definitions is None: - # just make sure it is not 'None' - self.definitions = {} - - def parse_file(file: str) -> tuple[str, dict[str, Any] | None, dict[str, Exception]] | None: - if not (file.endswith(".tf") or file.endswith(".hcl")): - return None - file_parsing_errors: dict[str, Exception] = {} - parse_result = self.parser.parse_file(file=file, parsing_errors=file_parsing_errors) - # the exceptions type can un-pickleable so we need to cast them to Exception - for path, e in file_parsing_errors.items(): - file_parsing_errors[path] = Exception(e.__repr__()) - return file, parse_result, file_parsing_errors - - results = parallel_runner.run_function(parse_file, files) - for result in results: - if result: - file, parse_result, file_parsing_errors = result - if parse_result is not None: - self.definitions[TFDefinitionKey(file_path=file)] = parse_result - if file_parsing_errors: - parsing_errors.update(file_parsing_errors) - - def push_skipped_checks_down_from_modules(self, definition_context: dict[TFDefinitionKey, dict[str, Any]]) -> None: - if not self.definitions: - # no need to proceed - return - - module_context_parser = parser_registry.context_parsers[BlockType.MODULE] - for tf_definition_key, definition in self.definitions.items(): - full_file_path = tf_definition_key - definition_modules_context = definition_context.get(full_file_path, {}).get(BlockType.MODULE, {}) - for entity in definition.get(BlockType.MODULE, []): - module_name = module_context_parser.get_entity_context_path(entity)[0] - skipped_checks = definition_modules_context.get(module_name, {}).get('skipped_checks') - resolved_paths = entity.get(module_name).get(RESOLVED_MODULE_ENTRY_NAME) - self.push_skipped_checks_down(definition_context, skipped_checks, resolved_paths) - - def push_skipped_checks_down( - self, - definition_context: dict[TFDefinitionKey, dict[str, Any]], - skipped_checks: list[_SkippedCheck], - resolved_paths: list[TFDefinitionKey], - ) -> None: - # this method pushes the skipped_checks down the 1 level to all resource types. - if not skipped_checks or not resolved_paths: - return - for ind, definition in enumerate(resolved_paths): - for block_type, block_configs in definition_context.get(definition, {}).items(): - # skip if type is not a Terraform resource - if block_type not in CHECK_BLOCK_TYPES: - continue - - if block_type == "module": - if not self.definitions: - # no need to proceed - continue + def get_entity_context_and_evaluations(self, entity: dict[str, Any]) -> dict[str, Any] | None: + block_type = entity[CustomAttributes.BLOCK_TYPE] + tf_source_module_obj = entity.get(CustomAttributes.SOURCE_MODULE_OBJECT) + if isinstance(tf_source_module_obj, dict): + tf_source_module_obj = TFModule.from_json(tf_source_module_obj) + full_file_path = TFDefinitionKey( + file_path=entity[CustomAttributes.FILE_PATH], tf_source_modules=tf_source_module_obj + ) - # modules don't have a type, just a name - for module_name, module_config in block_configs.items(): - # append the skipped checks also from a module to another module - module_config["skipped_checks"] += skipped_checks - module_context = next(m for m in self.definitions.get(resolved_paths[ind], {}).get(block_type, []) if module_name in m) - recursive_resolved_paths = module_context.get(module_name).get(RESOLVED_MODULE_ENTRY_NAME) - self.push_skipped_checks_down(definition_context, skipped_checks, recursive_resolved_paths) + definition_path = entity[CustomAttributes.BLOCK_NAME].split(".") + entity_context_path = [block_type] + definition_path + try: + entity_context = self.context[full_file_path] # type:ignore[index] # at this point self.context is set + for k in entity_context_path: + if k in entity_context: + entity_context = entity_context[k] else: - # there may be multiple resource types - aws_bucket, etc - for resource_configs in block_configs.values(): - # there may be multiple names for each resource type - for resource_config in resource_configs.values(): - # append the skipped checks from the module to the other resources. - resource_config["skipped_checks"] += skipped_checks - - def extract_images( - self, - graph_connector: DiGraph | None = None, - definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None, - definitions_raw: dict[str, list[tuple[int, str]]] | None = None - ) -> list[Image]: - if not graph_connector: - # should not happen - return [] - - manager = TerraformImageReferencerManager(graph_connector=graph_connector) - images = manager.extract_images_from_resources() - - return images - - @staticmethod - def get_graph_resource_entity_config(entity: dict[str, Any]) -> dict[str, Any]: - context_parser = parser_registry.context_parsers[entity[CustomAttributes.BLOCK_TYPE]] - entity_config: dict[str, Any] = entity[CustomAttributes.CONFIG] - definition_path = context_parser.get_entity_definition_path(entity_config) - for path in definition_path: - entity_config = entity_config[path] - return entity_config + logging.warning(f'Failed to find context for {".".join(entity_context_path)}') + return None + entity_context["definition_path"] = definition_path + except KeyError: + logging.error(f"Did not find context for key {full_file_path}") + return {} + return entity_context diff --git a/checkov/terraform/tf_parser.py b/checkov/terraform/tf_parser.py index d6c2c2a626b..ee05076f5cf 100644 --- a/checkov/terraform/tf_parser.py +++ b/checkov/terraform/tf_parser.py @@ -7,12 +7,12 @@ from pathlib import Path from typing import Optional, Dict, Mapping, Set, Tuple, Callable, Any, List, cast, TYPE_CHECKING, overload -import deep_merge import hcl2 from checkov.common.runners.base_runner import filter_ignored_paths, IGNORE_HIDDEN_DIRECTORY_ENV from checkov.common.util.consts import DEFAULT_EXTERNAL_MODULES_DIR, RESOLVED_MODULE_ENTRY_NAME from checkov.common.util.data_structures_utils import pickle_deepcopy +from checkov.common.util.deep_merge import pickle_deep_merge from checkov.common.util.type_forcers import force_list from checkov.common.variables.context import EvaluationContext from checkov.terraform import validate_malformed_definitions, clean_bad_definitions @@ -299,7 +299,7 @@ def _load_modules(self, root_dir: str, module_loader_registry: ModuleLoaderRegis resolved_loc_list.append(new_key) if all_module_definitions: - deep_merge.merge(all_module_definitions, module_definitions) + pickle_deep_merge(all_module_definitions, module_definitions) else: all_module_definitions = module_definitions @@ -308,7 +308,7 @@ def _load_modules(self, root_dir: str, module_loader_registry: ModuleLoaderRegis logging.warning(f"Unable to load module - source: {source}, version: {version}, error: {str(e)}") if all_module_definitions: - deep_merge.merge(self.out_definitions, all_module_definitions) + pickle_deep_merge(self.out_definitions, all_module_definitions) return skipped_a_module def parse_hcl_module( @@ -321,8 +321,7 @@ def parse_hcl_module( excluded_paths: list[str] | None = None, vars_files: list[str] | None = None, external_modules_content_cache: dict[str, ModuleContent | None] | None = None, - create_graph: bool = True, - ) -> tuple[Module | None, dict[TFDefinitionKey, dict[str, Any]]]: + ) -> tuple[Module, dict[TFDefinitionKey, dict[str, Any]]]: tf_definitions = self.parse_directory( directory=source_dir, out_evaluations_context={}, out_parsing_errors=parsing_errors if parsing_errors is not None else {}, @@ -333,9 +332,7 @@ def parse_hcl_module( tf_definitions = clean_parser_types(tf_definitions) tf_definitions = serialize_definitions(tf_definitions) - module = None - if create_graph: - module, tf_definitions = self.parse_hcl_module_from_tf_definitions(tf_definitions, source_dir, source) + module, tf_definitions = self.parse_hcl_module_from_tf_definitions(tf_definitions, source_dir, source) return module, tf_definitions @@ -349,7 +346,6 @@ def parse_multi_graph_hcl_module( excluded_paths: list[str] | None = None, vars_files: list[str] | None = None, external_modules_content_cache: dict[str, ModuleContent | None] | None = None, - create_graph: bool = True, ) -> list[tuple[Module, list[dict[TFDefinitionKey, dict[str, Any]]]]]: """ This function is similar to parse_hcl_module, except that it creates a list of tuples instead of a single tuple. @@ -369,10 +365,9 @@ def parse_multi_graph_hcl_module( dirs_to_definitions = self.create_definition_by_dirs(tf_definitions) modules_and_definitions_tuple: list[tuple[Module, list[dict[TFDefinitionKey, dict[str, Any]]]]] = [] - if create_graph: - for source_path, definitions in dirs_to_definitions.items(): - module, parsed_tf_definitions = self.parse_hcl_module_from_multi_tf_definitions(definitions, source_path, source) - modules_and_definitions_tuple.append((module, parsed_tf_definitions)) + for source_path, definitions in dirs_to_definitions.items(): + module, parsed_tf_definitions = self.parse_hcl_module_from_multi_tf_definitions(definitions, source_path, source) + modules_and_definitions_tuple.append((module, parsed_tf_definitions)) return modules_and_definitions_tuple diff --git a/checkov/terraform_json/runner.py b/checkov/terraform_json/runner.py index ace36b63edb..cd7967e8a4a 100644 --- a/checkov/terraform_json/runner.py +++ b/checkov/terraform_json/runner.py @@ -4,6 +4,8 @@ import os from typing import TYPE_CHECKING, Any +from typing_extensions import TypeAlias # noqa[TC002] + from checkov.common.bridgecrew.check_type import CheckType from checkov.common.checks_infra.registry import get_graph_checks_registry from checkov.common.graph.graph_builder import CustomAttributes @@ -12,13 +14,12 @@ from checkov.common.output.record import Record from checkov.common.output.report import Report from checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger -from checkov.common.runners.base_runner import CHECKOV_CREATE_GRAPH from checkov.common.util.consts import START_LINE, END_LINE from checkov.common.util.secrets import omit_secret_value_from_checks from checkov.runner_filter import RunnerFilter +from checkov.terraform.base_runner import BaseTerraformRunner from checkov.terraform.checks.resource.registry import resource_registry from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph -from checkov.terraform.runner import Runner as TerraformRunner from checkov.terraform_json.utils import get_scannable_file_paths, create_definitions if TYPE_CHECKING: @@ -26,11 +27,14 @@ from checkov.terraform.graph_manager import TerraformGraphManager from checkov.common.typing import LibraryGraphConnector, _CheckResult +_TerraformJsonContext: TypeAlias = "dict[str, dict[str, Any]]" +_TerraformJsonDefinitions: TypeAlias = "dict[str, dict[str, Any]]" + logger = logging.getLogger(__name__) add_resource_code_filter_to_logger(logger) -class TerraformJsonRunner(TerraformRunner): +class TerraformJsonRunner(BaseTerraformRunner[_TerraformJsonDefinitions, _TerraformJsonContext, str]): check_type = CheckType.TERRAFORM_JSON # noqa: CCE003 # a static attribute def __init__( @@ -49,11 +53,11 @@ def __init__( source=source, ) self.file_extensions = (".json",) # just '.json' not 'tf.json' otherwise it will be filtered out - self.graph_registry = get_graph_checks_registry(super().check_type) + self.graph_registry = get_graph_checks_registry(check_type=CheckType.TERRAFORM) - self.definitions: dict[str, dict[str, Any]] = {} # type:ignore[assignment] # need to check, how to support subclass differences + self.definitions: _TerraformJsonDefinitions = {} self.definitions_raw: "dict[str, list[tuple[int, str]]]" = {} - self.context: dict[str, dict[str, Any]] = {} # type:ignore[assignment] + self.context: _TerraformJsonContext = {} self.root_folder: str | None = None def run( @@ -87,19 +91,16 @@ def run( if external_checks_dir: for directory in external_checks_dir: resource_registry.load_external_checks(directory) - - if CHECKOV_CREATE_GRAPH: - self.graph_registry.load_external_checks(directory) + self.graph_registry.load_external_checks(directory) # TODO: create function 'build_definitions_context()' # self.context = build_definitions_context(definitions=self.definitions, definitions_raw=self.definitions_raw) - if CHECKOV_CREATE_GRAPH: - logger.info("Creating Terraform JSON graph") - local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) - logger.info("Successfully created Terraform JSON graph") + logger.info("Creating Terraform JSON graph") + local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) + logger.info("Successfully created Terraform JSON graph") - self.graph_manager.save_graph(local_graph) + self.graph_manager.save_graph(local_graph) self.pbar.initiate(len(self.definitions)) @@ -107,8 +108,7 @@ def run( self.add_python_check_results(report=report, runner_filter=runner_filter) # run graph checks - if CHECKOV_CREATE_GRAPH: - self.add_graph_check_results(report=report, runner_filter=runner_filter) + self.add_graph_check_results(report=report, runner_filter=runner_filter) return report @@ -178,17 +178,17 @@ def add_graph_check_results(self, report: Report, runner_filter: RunnerFilter) - record.set_guideline(guideline=check.guideline) report.add_record(record=record) - def run_block( # type:ignore[override] # would probably need to make 'TerraformRunner' generic + def run_block( self, entities: list[dict[str, Any]], - definition_context: dict[str, Any], + definition_context: _TerraformJsonContext, full_file_path: str, root_folder: str | None, report: Report, scanned_file: str, block_type: str, runner_filter: RunnerFilter | None = None, - entity_context_path_header: list[str] | None = None, + entity_context_path_header: str | None = None, module_referrer: str | None = None, ) -> None: """Run block specific checks""" @@ -231,3 +231,7 @@ def run_block( # type:ignore[override] # would probably need to make 'Terrafor ) record.set_guideline(guideline=check.guideline) report.add_record(record=record) + + def get_entity_context_and_evaluations(self, entity: dict[str, Any]) -> dict[str, Any] | None: + # not used + pass diff --git a/checkov/version.py b/checkov/version.py index 28422c72cff..683bc898723 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.4.29' +version = '2.5.11' diff --git a/docs/2.Basics/Visualizing Checkov Output.md b/docs/2.Basics/Visualizing Checkov Output.md index 1b7873ac693..b396ef55915 100644 --- a/docs/2.Basics/Visualizing Checkov Output.md +++ b/docs/2.Basics/Visualizing Checkov Output.md @@ -48,23 +48,26 @@ The table below details the arguments used when executing the API token: To enrich Bridgecrew's context with CI/CD systems data, we strongly recommend that Checkov uses environment variables. -| Environment Variable | Description | Example | -| -------- | ----------- | ----------- | -| BC_FROM_BRANCH | Source branch | feature/foo | -| BC_TO_BRANCH | Target branch | main | -| BC_PR_ID | Pull request identifier | 825 | -| BC_PR_URL | Link to pull request/merge request | https://github.com/bridgecrewio/checkov/pull/825 | -| BC_COMMIT_HASH | Commit identifier | 5df50ab857e7a255e4e731877748b539915ad489 | -| BC_COMMIT_URL | Link to commit in CI/VCS system | https://github.com/bridgecrewio/checkov/commit/5df50ab857e7a255e4e731877748b539915ad489 | -| BC_AUTHOR_NAME | User associated with the CI trigger | schosterbarak | -| BC_AUTHOR_URL | Link to the user profile page | https://github.com/schosterbarak | -| BC_RUN_ID | CI run identifier | 525220526 | -| BC_RUN_URL | Link to the run in the CI system | https://github.com/bridgecrewio/checkov/actions/runs/525220526 | -| BC_REPOSITORY_URL | Link to the GitHub repository | https://github.com/bridgecrewio/checkov/ | -| BC_SOURCE | Name of CI system being integrated | githubActions | -| BC_API_URL | URL of BC app for platform integration | https://www.bridgecrew.cloud | -| PRISMA_API_URL | URL of Prisma app for platform integration | https://app3.prismacloud.io | -| SLS_FILE_MASK | File names mask for all serverless files | serverless.yaml,serverless.yml | +| Environment Variable | Description | Example | +|---------------------------------|--------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------| +| BC_FROM_BRANCH | Source branch | feature/foo | +| BC_TO_BRANCH | Target branch | main | +| BC_PR_ID | Pull request identifier | 825 | +| BC_PR_URL | Link to pull request/merge request | https://github.com/bridgecrewio/checkov/pull/825 | +| BC_COMMIT_HASH | Commit identifier | 5df50ab857e7a255e4e731877748b539915ad489 | +| BC_COMMIT_URL | Link to commit in CI/VCS system | https://github.com/bridgecrewio/checkov/commit/5df50ab857e7a255e4e731877748b539915ad489 | +| BC_AUTHOR_NAME | User associated with the CI trigger | schosterbarak | +| BC_AUTHOR_URL | Link to the user profile page | https://github.com/schosterbarak | +| BC_RUN_ID | CI run identifier | 525220526 | +| BC_RUN_URL | Link to the run in the CI system | https://github.com/bridgecrewio/checkov/actions/runs/525220526 | +| BC_REPOSITORY_URL | Link to the GitHub repository | https://github.com/bridgecrewio/checkov/ | +| BC_SOURCE | Name of CI system being integrated | githubActions | +| BC_API_URL | URL of BC app for platform integration | https://www.bridgecrew.cloud | +| PRISMA_API_URL | URL of Prisma app for platform integration | https://app3.prismacloud.io | +| SLS_FILE_MASK | File names mask for all serverless files | serverless.yaml,serverless.yml | +| CHECKOV_REQUEST_CONNECT_TIMEOUT | Number of seconds requests will wait to establish a connection to the platform | 3.1 | +| CHECKOV_REQUEST_READ_TIMEOUT | Number of seconds requests will wait for the platform to send a response. This duration matches our timeout settings, so changes are likely unnecessary. | 30 | +| CHECKOV_REQUEST_RETRIES | Number of retries requests will do towards the platform | 3 | ## Bridgecrew platform view diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 8fa30b177e0..7752059d808 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -820,2779 +820,2814 @@ nav_order: 1 | 809 | CKV_AWS_356 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py) | | 810 | CKV_AWS_357 | resource | aws_transfer_server | Ensure Transfer Server allows only secure protocols | Terraform | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py) | | 811 | CKV_AWS_358 | data | aws_iam_policy_document | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization | Terraform | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py) | -| 812 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | -| 813 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | -| 814 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | -| 815 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | -| 816 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | -| 817 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | -| 818 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | -| 819 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | -| 820 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml) | -| 821 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | -| 822 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | -| 823 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | -| 824 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | -| 825 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml) | -| 826 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml) | -| 827 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml) | -| 828 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml) | -| 829 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | -| 830 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | -| 831 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | -| 832 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | -| 833 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 834 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 835 | CKV2_AWS_15 | resource | aws_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 836 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | -| 837 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | -| 838 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml) | -| 839 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | -| 840 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | -| 841 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 842 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 843 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 844 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 845 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml) | -| 846 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml) | -| 847 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml) | -| 848 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | -| 849 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | -| 850 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | -| 851 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | -| 852 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | -| 853 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | -| 854 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | -| 855 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | -| 856 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml) | -| 857 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a response headers policy attached | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml) | -| 858 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | -| 859 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml) | -| 860 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml) | -| 861 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | -| 862 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | -| 863 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | -| 864 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | -| 865 | CKV2_AWS_37 | resource | aws | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 866 | CKV2_AWS_37 | resource | aws_accessanalyzer_analyzer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 867 | CKV2_AWS_37 | resource | aws_acm_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 868 | CKV2_AWS_37 | resource | aws_acm_certificate_validation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 869 | CKV2_AWS_37 | resource | aws_acmpca_certificate_authority | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 870 | CKV2_AWS_37 | resource | aws_ami | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 871 | CKV2_AWS_37 | resource | aws_ami_copy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 872 | CKV2_AWS_37 | resource | aws_ami_from_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 873 | CKV2_AWS_37 | resource | aws_ami_launch_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 874 | CKV2_AWS_37 | resource | aws_api_gateway_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 875 | CKV2_AWS_37 | resource | aws_api_gateway_api_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 876 | CKV2_AWS_37 | resource | aws_api_gateway_authorizer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 877 | CKV2_AWS_37 | resource | aws_api_gateway_base_path_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 878 | CKV2_AWS_37 | resource | aws_api_gateway_client_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 879 | CKV2_AWS_37 | resource | aws_api_gateway_deployment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 880 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_part | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 881 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 882 | CKV2_AWS_37 | resource | aws_api_gateway_domain_name | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 883 | CKV2_AWS_37 | resource | aws_api_gateway_gateway_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 884 | CKV2_AWS_37 | resource | aws_api_gateway_integration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 885 | CKV2_AWS_37 | resource | aws_api_gateway_integration_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 886 | CKV2_AWS_37 | resource | aws_api_gateway_method | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 887 | CKV2_AWS_37 | resource | aws_api_gateway_method_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 888 | CKV2_AWS_37 | resource | aws_api_gateway_method_settings | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 889 | CKV2_AWS_37 | resource | aws_api_gateway_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 890 | CKV2_AWS_37 | resource | aws_api_gateway_request_validator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 891 | CKV2_AWS_37 | resource | aws_api_gateway_resource | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 892 | CKV2_AWS_37 | resource | aws_api_gateway_rest_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 893 | CKV2_AWS_37 | resource | aws_api_gateway_stage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 894 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 895 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 896 | CKV2_AWS_37 | resource | aws_api_gateway_vpc_link | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 897 | CKV2_AWS_37 | resource | aws_apigatewayv2_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 898 | CKV2_AWS_37 | resource | aws_apigatewayv2_api_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 899 | CKV2_AWS_37 | resource | aws_apigatewayv2_authorizer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 900 | CKV2_AWS_37 | resource | aws_apigatewayv2_deployment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 901 | CKV2_AWS_37 | resource | aws_apigatewayv2_domain_name | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 902 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 903 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 904 | CKV2_AWS_37 | resource | aws_apigatewayv2_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 905 | CKV2_AWS_37 | resource | aws_apigatewayv2_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 906 | CKV2_AWS_37 | resource | aws_apigatewayv2_route_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 907 | CKV2_AWS_37 | resource | aws_apigatewayv2_stage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 908 | CKV2_AWS_37 | resource | aws_apigatewayv2_vpc_link | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 909 | CKV2_AWS_37 | resource | aws_app_cookie_stickiness_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 910 | CKV2_AWS_37 | resource | aws_appautoscaling_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 911 | CKV2_AWS_37 | resource | aws_appautoscaling_scheduled_action | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 912 | CKV2_AWS_37 | resource | aws_appautoscaling_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 913 | CKV2_AWS_37 | resource | aws_appmesh_mesh | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 914 | CKV2_AWS_37 | resource | aws_appmesh_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 915 | CKV2_AWS_37 | resource | aws_appmesh_virtual_node | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 916 | CKV2_AWS_37 | resource | aws_appmesh_virtual_router | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 917 | CKV2_AWS_37 | resource | aws_appmesh_virtual_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 918 | CKV2_AWS_37 | resource | aws_appsync_api_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 919 | CKV2_AWS_37 | resource | aws_appsync_datasource | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 920 | CKV2_AWS_37 | resource | aws_appsync_function | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 921 | CKV2_AWS_37 | resource | aws_appsync_graphql_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 922 | CKV2_AWS_37 | resource | aws_appsync_resolver | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 923 | CKV2_AWS_37 | resource | aws_athena_database | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 924 | CKV2_AWS_37 | resource | aws_athena_named_query | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 925 | CKV2_AWS_37 | resource | aws_athena_workgroup | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 926 | CKV2_AWS_37 | resource | aws_autoscaling_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 927 | CKV2_AWS_37 | resource | aws_autoscaling_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 928 | CKV2_AWS_37 | resource | aws_autoscaling_lifecycle_hook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 929 | CKV2_AWS_37 | resource | aws_autoscaling_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 930 | CKV2_AWS_37 | resource | aws_autoscaling_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 931 | CKV2_AWS_37 | resource | aws_autoscaling_schedule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 932 | CKV2_AWS_37 | resource | aws_backup_plan | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 933 | CKV2_AWS_37 | resource | aws_backup_selection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 934 | CKV2_AWS_37 | resource | aws_backup_vault | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 935 | CKV2_AWS_37 | resource | aws_batch_compute_environment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 936 | CKV2_AWS_37 | resource | aws_batch_job_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 937 | CKV2_AWS_37 | resource | aws_batch_job_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 938 | CKV2_AWS_37 | resource | aws_budgets_budget | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 939 | CKV2_AWS_37 | resource | aws_cloud9_environment_ec2 | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 940 | CKV2_AWS_37 | resource | aws_cloudformation_stack | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 941 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 942 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 943 | CKV2_AWS_37 | resource | aws_cloudfront_distribution | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 944 | CKV2_AWS_37 | resource | aws_cloudfront_origin_access_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 945 | CKV2_AWS_37 | resource | aws_cloudfront_public_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 946 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 947 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_hsm | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 948 | CKV2_AWS_37 | resource | aws_cloudtrail | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 949 | CKV2_AWS_37 | resource | aws_cloudwatch_dashboard | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 950 | CKV2_AWS_37 | resource | aws_cloudwatch_event_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 951 | CKV2_AWS_37 | resource | aws_cloudwatch_event_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 952 | CKV2_AWS_37 | resource | aws_cloudwatch_event_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 953 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 954 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 955 | CKV2_AWS_37 | resource | aws_cloudwatch_log_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 956 | CKV2_AWS_37 | resource | aws_cloudwatch_log_metric_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 957 | CKV2_AWS_37 | resource | aws_cloudwatch_log_resource_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 958 | CKV2_AWS_37 | resource | aws_cloudwatch_log_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 959 | CKV2_AWS_37 | resource | aws_cloudwatch_log_subscription_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 960 | CKV2_AWS_37 | resource | aws_cloudwatch_metric_alarm | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 961 | CKV2_AWS_37 | resource | aws_codebuild_project | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 962 | CKV2_AWS_37 | resource | aws_codebuild_source_credential | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 963 | CKV2_AWS_37 | resource | aws_codebuild_webhook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 964 | CKV2_AWS_37 | resource | aws_codecommit_repository | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 965 | CKV2_AWS_37 | resource | aws_codecommit_trigger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 966 | CKV2_AWS_37 | resource | aws_codedeploy_app | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 967 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 968 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 969 | CKV2_AWS_37 | resource | aws_codepipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 970 | CKV2_AWS_37 | resource | aws_codepipeline_webhook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 971 | CKV2_AWS_37 | resource | aws_codestarnotifications_notification_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 972 | CKV2_AWS_37 | resource | aws_cognito_identity_pool | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 973 | CKV2_AWS_37 | resource | aws_cognito_identity_pool_roles_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 974 | CKV2_AWS_37 | resource | aws_cognito_identity_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 975 | CKV2_AWS_37 | resource | aws_cognito_resource_server | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 976 | CKV2_AWS_37 | resource | aws_cognito_user_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 977 | CKV2_AWS_37 | resource | aws_cognito_user_pool | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 978 | CKV2_AWS_37 | resource | aws_cognito_user_pool_client | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 979 | CKV2_AWS_37 | resource | aws_cognito_user_pool_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 980 | CKV2_AWS_37 | resource | aws_config_aggregate_authorization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 981 | CKV2_AWS_37 | resource | aws_config_config_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 982 | CKV2_AWS_37 | resource | aws_config_configuration_aggregator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 983 | CKV2_AWS_37 | resource | aws_config_configuration_recorder | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 984 | CKV2_AWS_37 | resource | aws_config_configuration_recorder_status | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 985 | CKV2_AWS_37 | resource | aws_config_delivery_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 986 | CKV2_AWS_37 | resource | aws_config_organization_custom_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 987 | CKV2_AWS_37 | resource | aws_config_organization_managed_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 988 | CKV2_AWS_37 | resource | aws_cur_report_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 989 | CKV2_AWS_37 | resource | aws_customer_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 990 | CKV2_AWS_37 | resource | aws_datapipeline_pipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 991 | CKV2_AWS_37 | resource | aws_datasync_agent | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 992 | CKV2_AWS_37 | resource | aws_datasync_location_efs | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 993 | CKV2_AWS_37 | resource | aws_datasync_location_nfs | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 994 | CKV2_AWS_37 | resource | aws_datasync_location_s3 | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 995 | CKV2_AWS_37 | resource | aws_datasync_location_smb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 996 | CKV2_AWS_37 | resource | aws_datasync_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 997 | CKV2_AWS_37 | resource | aws_dax_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 998 | CKV2_AWS_37 | resource | aws_dax_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 999 | CKV2_AWS_37 | resource | aws_dax_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1000 | CKV2_AWS_37 | resource | aws_db_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1001 | CKV2_AWS_37 | resource | aws_db_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1002 | CKV2_AWS_37 | resource | aws_db_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1003 | CKV2_AWS_37 | resource | aws_db_instance_role_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1004 | CKV2_AWS_37 | resource | aws_db_option_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1005 | CKV2_AWS_37 | resource | aws_db_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1006 | CKV2_AWS_37 | resource | aws_db_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1007 | CKV2_AWS_37 | resource | aws_db_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1008 | CKV2_AWS_37 | resource | aws_db_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1009 | CKV2_AWS_37 | resource | aws_default_network_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1010 | CKV2_AWS_37 | resource | aws_default_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1011 | CKV2_AWS_37 | resource | aws_default_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1012 | CKV2_AWS_37 | resource | aws_default_subnet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1013 | CKV2_AWS_37 | resource | aws_default_vpc | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1014 | CKV2_AWS_37 | resource | aws_default_vpc_dhcp_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1015 | CKV2_AWS_37 | resource | aws_devicefarm_project | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1016 | CKV2_AWS_37 | resource | aws_directory_service_conditional_forwarder | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1017 | CKV2_AWS_37 | resource | aws_directory_service_directory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1018 | CKV2_AWS_37 | resource | aws_directory_service_log_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1019 | CKV2_AWS_37 | resource | aws_dlm_lifecycle_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1020 | CKV2_AWS_37 | resource | aws_dms_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1021 | CKV2_AWS_37 | resource | aws_dms_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1022 | CKV2_AWS_37 | resource | aws_dms_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1023 | CKV2_AWS_37 | resource | aws_dms_replication_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1024 | CKV2_AWS_37 | resource | aws_dms_replication_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1025 | CKV2_AWS_37 | resource | aws_dms_replication_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1026 | CKV2_AWS_37 | resource | aws_docdb_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1027 | CKV2_AWS_37 | resource | aws_docdb_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1028 | CKV2_AWS_37 | resource | aws_docdb_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1029 | CKV2_AWS_37 | resource | aws_docdb_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1030 | CKV2_AWS_37 | resource | aws_docdb_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1031 | CKV2_AWS_37 | resource | aws_dx_bgp_peer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1032 | CKV2_AWS_37 | resource | aws_dx_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1033 | CKV2_AWS_37 | resource | aws_dx_connection_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1034 | CKV2_AWS_37 | resource | aws_dx_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1035 | CKV2_AWS_37 | resource | aws_dx_gateway_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1036 | CKV2_AWS_37 | resource | aws_dx_gateway_association_proposal | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1037 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1038 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1039 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1040 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1041 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1042 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1043 | CKV2_AWS_37 | resource | aws_dx_lag | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1044 | CKV2_AWS_37 | resource | aws_dx_private_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1045 | CKV2_AWS_37 | resource | aws_dx_public_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1046 | CKV2_AWS_37 | resource | aws_dx_transit_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1047 | CKV2_AWS_37 | resource | aws_dynamodb_global_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1048 | CKV2_AWS_37 | resource | aws_dynamodb_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1049 | CKV2_AWS_37 | resource | aws_dynamodb_table_item | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1050 | CKV2_AWS_37 | resource | aws_ebs_default_kms_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1051 | CKV2_AWS_37 | resource | aws_ebs_encryption_by_default | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1052 | CKV2_AWS_37 | resource | aws_ebs_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1053 | CKV2_AWS_37 | resource | aws_ebs_snapshot_copy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1054 | CKV2_AWS_37 | resource | aws_ebs_volume | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1055 | CKV2_AWS_37 | resource | aws_ec2_availability_zone_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1056 | CKV2_AWS_37 | resource | aws_ec2_capacity_reservation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1057 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_authorization_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1058 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1059 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_network_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1060 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1061 | CKV2_AWS_37 | resource | aws_ec2_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1062 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1063 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route_table_vpc_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1064 | CKV2_AWS_37 | resource | aws_ec2_tag | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1065 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1066 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1067 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_session | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1068 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1069 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1070 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1071 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1072 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1073 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1074 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1075 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_propagation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1076 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1077 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1078 | CKV2_AWS_37 | resource | aws_ecr_lifecycle_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1079 | CKV2_AWS_37 | resource | aws_ecr_repository | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1080 | CKV2_AWS_37 | resource | aws_ecr_repository_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1081 | CKV2_AWS_37 | resource | aws_ecs_capacity_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1082 | CKV2_AWS_37 | resource | aws_ecs_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1083 | CKV2_AWS_37 | resource | aws_ecs_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1084 | CKV2_AWS_37 | resource | aws_ecs_task_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1085 | CKV2_AWS_37 | resource | aws_efs_access_point | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1086 | CKV2_AWS_37 | resource | aws_efs_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1087 | CKV2_AWS_37 | resource | aws_efs_file_system_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1088 | CKV2_AWS_37 | resource | aws_efs_mount_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1089 | CKV2_AWS_37 | resource | aws_egress_only_internet_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1090 | CKV2_AWS_37 | resource | aws_eip | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1091 | CKV2_AWS_37 | resource | aws_eip_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1092 | CKV2_AWS_37 | resource | aws_eks_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1093 | CKV2_AWS_37 | resource | aws_eks_fargate_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1094 | CKV2_AWS_37 | resource | aws_eks_node_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1095 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1096 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1097 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_configuration_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1098 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_environment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1099 | CKV2_AWS_37 | resource | aws_elasticache_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1100 | CKV2_AWS_37 | resource | aws_elasticache_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1101 | CKV2_AWS_37 | resource | aws_elasticache_replication_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1102 | CKV2_AWS_37 | resource | aws_elasticache_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1103 | CKV2_AWS_37 | resource | aws_elasticache_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1104 | CKV2_AWS_37 | resource | aws_elasticsearch_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1105 | CKV2_AWS_37 | resource | aws_elasticsearch_domain_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1106 | CKV2_AWS_37 | resource | aws_elastictranscoder_pipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1107 | CKV2_AWS_37 | resource | aws_elastictranscoder_preset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1108 | CKV2_AWS_37 | resource | aws_elb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1109 | CKV2_AWS_37 | resource | aws_elb_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1110 | CKV2_AWS_37 | resource | aws_emr_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1111 | CKV2_AWS_37 | resource | aws_emr_instance_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1112 | CKV2_AWS_37 | resource | aws_emr_security_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1113 | CKV2_AWS_37 | resource | aws_flow_log | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1114 | CKV2_AWS_37 | resource | aws_fms_admin_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1115 | CKV2_AWS_37 | resource | aws_fsx_lustre_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1116 | CKV2_AWS_37 | resource | aws_fsx_windows_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1117 | CKV2_AWS_37 | resource | aws_gamelift_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1118 | CKV2_AWS_37 | resource | aws_gamelift_build | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1119 | CKV2_AWS_37 | resource | aws_gamelift_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1120 | CKV2_AWS_37 | resource | aws_gamelift_game_session_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1121 | CKV2_AWS_37 | resource | aws_glacier_vault | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1122 | CKV2_AWS_37 | resource | aws_glacier_vault_lock | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1123 | CKV2_AWS_37 | resource | aws_globalaccelerator_accelerator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1124 | CKV2_AWS_37 | resource | aws_globalaccelerator_endpoint_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1125 | CKV2_AWS_37 | resource | aws_globalaccelerator_listener | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1126 | CKV2_AWS_37 | resource | aws_glue_catalog_database | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1127 | CKV2_AWS_37 | resource | aws_glue_catalog_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1128 | CKV2_AWS_37 | resource | aws_glue_classifier | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1129 | CKV2_AWS_37 | resource | aws_glue_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1130 | CKV2_AWS_37 | resource | aws_glue_crawler | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1131 | CKV2_AWS_37 | resource | aws_glue_job | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1132 | CKV2_AWS_37 | resource | aws_glue_security_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1133 | CKV2_AWS_37 | resource | aws_glue_trigger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1134 | CKV2_AWS_37 | resource | aws_glue_workflow | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1135 | CKV2_AWS_37 | resource | aws_guardduty_detector | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1136 | CKV2_AWS_37 | resource | aws_guardduty_invite_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1137 | CKV2_AWS_37 | resource | aws_guardduty_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1138 | CKV2_AWS_37 | resource | aws_guardduty_member | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1139 | CKV2_AWS_37 | resource | aws_guardduty_organization_admin_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1140 | CKV2_AWS_37 | resource | aws_guardduty_organization_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1141 | CKV2_AWS_37 | resource | aws_guardduty_threatintelset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1142 | CKV2_AWS_37 | resource | aws_iam_access_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1143 | CKV2_AWS_37 | resource | aws_iam_account_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1144 | CKV2_AWS_37 | resource | aws_iam_account_password_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1145 | CKV2_AWS_37 | resource | aws_iam_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1146 | CKV2_AWS_37 | resource | aws_iam_group_membership | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1147 | CKV2_AWS_37 | resource | aws_iam_group_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1148 | CKV2_AWS_37 | resource | aws_iam_group_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1149 | CKV2_AWS_37 | resource | aws_iam_instance_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1150 | CKV2_AWS_37 | resource | aws_iam_openid_connect_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1151 | CKV2_AWS_37 | resource | aws_iam_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1152 | CKV2_AWS_37 | resource | aws_iam_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1153 | CKV2_AWS_37 | resource | aws_iam_policy_document | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1154 | CKV2_AWS_37 | resource | aws_iam_role | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1155 | CKV2_AWS_37 | resource | aws_iam_role_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1156 | CKV2_AWS_37 | resource | aws_iam_role_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1157 | CKV2_AWS_37 | resource | aws_iam_saml_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1158 | CKV2_AWS_37 | resource | aws_iam_server_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1159 | CKV2_AWS_37 | resource | aws_iam_service_linked_role | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1160 | CKV2_AWS_37 | resource | aws_iam_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1161 | CKV2_AWS_37 | resource | aws_iam_user_group_membership | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1162 | CKV2_AWS_37 | resource | aws_iam_user_login_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1163 | CKV2_AWS_37 | resource | aws_iam_user_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1164 | CKV2_AWS_37 | resource | aws_iam_user_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1165 | CKV2_AWS_37 | resource | aws_iam_user_ssh_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1166 | CKV2_AWS_37 | resource | aws_inspector_assessment_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1167 | CKV2_AWS_37 | resource | aws_inspector_assessment_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1168 | CKV2_AWS_37 | resource | aws_inspector_resource_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1169 | CKV2_AWS_37 | resource | aws_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1170 | CKV2_AWS_37 | resource | aws_internet_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1171 | CKV2_AWS_37 | resource | aws_iot_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1172 | CKV2_AWS_37 | resource | aws_iot_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1173 | CKV2_AWS_37 | resource | aws_iot_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1174 | CKV2_AWS_37 | resource | aws_iot_role_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1175 | CKV2_AWS_37 | resource | aws_iot_thing | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1176 | CKV2_AWS_37 | resource | aws_iot_thing_principal_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1177 | CKV2_AWS_37 | resource | aws_iot_thing_type | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1178 | CKV2_AWS_37 | resource | aws_iot_topic_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1179 | CKV2_AWS_37 | resource | aws_key_pair | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1180 | CKV2_AWS_37 | resource | aws_kinesis_analytics_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1181 | CKV2_AWS_37 | resource | aws_kinesis_firehose_delivery_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1182 | CKV2_AWS_37 | resource | aws_kinesis_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1183 | CKV2_AWS_37 | resource | aws_kinesis_video_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1184 | CKV2_AWS_37 | resource | aws_kms_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1185 | CKV2_AWS_37 | resource | aws_kms_ciphertext | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1186 | CKV2_AWS_37 | resource | aws_kms_external_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1187 | CKV2_AWS_37 | resource | aws_kms_grant | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1188 | CKV2_AWS_37 | resource | aws_kms_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1189 | CKV2_AWS_37 | resource | aws_lambda_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1190 | CKV2_AWS_37 | resource | aws_lambda_event_source_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1191 | CKV2_AWS_37 | resource | aws_lambda_function | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1192 | CKV2_AWS_37 | resource | aws_lambda_function_event_invoke_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1193 | CKV2_AWS_37 | resource | aws_lambda_layer_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1194 | CKV2_AWS_37 | resource | aws_lambda_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1195 | CKV2_AWS_37 | resource | aws_lambda_provisioned_concurrency_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1196 | CKV2_AWS_37 | resource | aws_launch_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1197 | CKV2_AWS_37 | resource | aws_launch_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1198 | CKV2_AWS_37 | resource | aws_lb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1199 | CKV2_AWS_37 | resource | aws_lb_cookie_stickiness_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1200 | CKV2_AWS_37 | resource | aws_lb_listener | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1201 | CKV2_AWS_37 | resource | aws_lb_listener_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1202 | CKV2_AWS_37 | resource | aws_lb_listener_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1203 | CKV2_AWS_37 | resource | aws_lb_ssl_negotiation_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1204 | CKV2_AWS_37 | resource | aws_lb_target_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1205 | CKV2_AWS_37 | resource | aws_lb_target_group_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1206 | CKV2_AWS_37 | resource | aws_licensemanager_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1207 | CKV2_AWS_37 | resource | aws_licensemanager_license_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1208 | CKV2_AWS_37 | resource | aws_lightsail_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1209 | CKV2_AWS_37 | resource | aws_lightsail_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1210 | CKV2_AWS_37 | resource | aws_lightsail_key_pair | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1211 | CKV2_AWS_37 | resource | aws_lightsail_static_ip | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1212 | CKV2_AWS_37 | resource | aws_lightsail_static_ip_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1213 | CKV2_AWS_37 | resource | aws_load_balancer_backend_server_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1214 | CKV2_AWS_37 | resource | aws_load_balancer_listener_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1215 | CKV2_AWS_37 | resource | aws_load_balancer_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1216 | CKV2_AWS_37 | resource | aws_macie_member_account_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1217 | CKV2_AWS_37 | resource | aws_macie_s3_bucket_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1218 | CKV2_AWS_37 | resource | aws_main_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1219 | CKV2_AWS_37 | resource | aws_media_convert_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1220 | CKV2_AWS_37 | resource | aws_media_package_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1221 | CKV2_AWS_37 | resource | aws_media_store_container | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1222 | CKV2_AWS_37 | resource | aws_media_store_container_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1223 | CKV2_AWS_37 | resource | aws_mq_broker | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1224 | CKV2_AWS_37 | resource | aws_mq_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1225 | CKV2_AWS_37 | resource | aws_msk_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1226 | CKV2_AWS_37 | resource | aws_msk_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1227 | CKV2_AWS_37 | resource | aws_nat_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1228 | CKV2_AWS_37 | resource | aws_neptune_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1229 | CKV2_AWS_37 | resource | aws_neptune_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1230 | CKV2_AWS_37 | resource | aws_neptune_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1231 | CKV2_AWS_37 | resource | aws_neptune_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1232 | CKV2_AWS_37 | resource | aws_neptune_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1233 | CKV2_AWS_37 | resource | aws_neptune_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1234 | CKV2_AWS_37 | resource | aws_neptune_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1235 | CKV2_AWS_37 | resource | aws_network_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1236 | CKV2_AWS_37 | resource | aws_network_acl_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1237 | CKV2_AWS_37 | resource | aws_network_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1238 | CKV2_AWS_37 | resource | aws_network_interface_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1239 | CKV2_AWS_37 | resource | aws_network_interface_sg_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1240 | CKV2_AWS_37 | resource | aws_opsworks_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1241 | CKV2_AWS_37 | resource | aws_opsworks_custom_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1242 | CKV2_AWS_37 | resource | aws_opsworks_ganglia_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1243 | CKV2_AWS_37 | resource | aws_opsworks_haproxy_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1244 | CKV2_AWS_37 | resource | aws_opsworks_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1245 | CKV2_AWS_37 | resource | aws_opsworks_java_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1246 | CKV2_AWS_37 | resource | aws_opsworks_memcached_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1247 | CKV2_AWS_37 | resource | aws_opsworks_mysql_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1248 | CKV2_AWS_37 | resource | aws_opsworks_nodejs_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1249 | CKV2_AWS_37 | resource | aws_opsworks_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1250 | CKV2_AWS_37 | resource | aws_opsworks_php_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1251 | CKV2_AWS_37 | resource | aws_opsworks_rails_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1252 | CKV2_AWS_37 | resource | aws_opsworks_rds_db_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1253 | CKV2_AWS_37 | resource | aws_opsworks_stack | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1254 | CKV2_AWS_37 | resource | aws_opsworks_static_web_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1255 | CKV2_AWS_37 | resource | aws_opsworks_user_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1256 | CKV2_AWS_37 | resource | aws_organizations_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1257 | CKV2_AWS_37 | resource | aws_organizations_organization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1258 | CKV2_AWS_37 | resource | aws_organizations_organizational_unit | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1259 | CKV2_AWS_37 | resource | aws_organizations_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1260 | CKV2_AWS_37 | resource | aws_organizations_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1261 | CKV2_AWS_37 | resource | aws_pinpoint_adm_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1262 | CKV2_AWS_37 | resource | aws_pinpoint_apns_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1263 | CKV2_AWS_37 | resource | aws_pinpoint_apns_sandbox_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1264 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1265 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_sandbox_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1266 | CKV2_AWS_37 | resource | aws_pinpoint_app | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1267 | CKV2_AWS_37 | resource | aws_pinpoint_baidu_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1268 | CKV2_AWS_37 | resource | aws_pinpoint_email_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1269 | CKV2_AWS_37 | resource | aws_pinpoint_event_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1270 | CKV2_AWS_37 | resource | aws_pinpoint_gcm_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1271 | CKV2_AWS_37 | resource | aws_pinpoint_sms_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1272 | CKV2_AWS_37 | resource | aws_placement_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1273 | CKV2_AWS_37 | resource | aws_proxy_protocol_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1274 | CKV2_AWS_37 | resource | aws_qldb_ledger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1275 | CKV2_AWS_37 | resource | aws_quicksight_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1276 | CKV2_AWS_37 | resource | aws_quicksight_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1277 | CKV2_AWS_37 | resource | aws_ram_principal_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1278 | CKV2_AWS_37 | resource | aws_ram_resource_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1279 | CKV2_AWS_37 | resource | aws_ram_resource_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1280 | CKV2_AWS_37 | resource | aws_ram_resource_share_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1281 | CKV2_AWS_37 | resource | aws_rds_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1282 | CKV2_AWS_37 | resource | aws_rds_cluster_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1283 | CKV2_AWS_37 | resource | aws_rds_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1284 | CKV2_AWS_37 | resource | aws_rds_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1285 | CKV2_AWS_37 | resource | aws_rds_global_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1286 | CKV2_AWS_37 | resource | aws_redshift_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1287 | CKV2_AWS_37 | resource | aws_redshift_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1288 | CKV2_AWS_37 | resource | aws_redshift_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1289 | CKV2_AWS_37 | resource | aws_redshift_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1290 | CKV2_AWS_37 | resource | aws_redshift_snapshot_copy_grant | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1291 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1292 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1293 | CKV2_AWS_37 | resource | aws_redshift_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1294 | CKV2_AWS_37 | resource | aws_resourcegroups_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1295 | CKV2_AWS_37 | resource | aws_root | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1296 | CKV2_AWS_37 | resource | aws_root_access_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1297 | CKV2_AWS_37 | resource | aws_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1298 | CKV2_AWS_37 | resource | aws_route53_delegation_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1299 | CKV2_AWS_37 | resource | aws_route53_health_check | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1300 | CKV2_AWS_37 | resource | aws_route53_query_log | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1301 | CKV2_AWS_37 | resource | aws_route53_record | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1302 | CKV2_AWS_37 | resource | aws_route53_resolver_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1303 | CKV2_AWS_37 | resource | aws_route53_resolver_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1304 | CKV2_AWS_37 | resource | aws_route53_resolver_rule_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1305 | CKV2_AWS_37 | resource | aws_route53_vpc_association_authorization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1306 | CKV2_AWS_37 | resource | aws_route53_zone | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1307 | CKV2_AWS_37 | resource | aws_route53_zone_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1308 | CKV2_AWS_37 | resource | aws_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1309 | CKV2_AWS_37 | resource | aws_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1310 | CKV2_AWS_37 | resource | aws_s3_access_point | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1311 | CKV2_AWS_37 | resource | aws_s3_account_public_access_block | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1312 | CKV2_AWS_37 | resource | aws_s3_bucket | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1313 | CKV2_AWS_37 | resource | aws_s3_bucket_analytics_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1314 | CKV2_AWS_37 | resource | aws_s3_bucket_inventory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1315 | CKV2_AWS_37 | resource | aws_s3_bucket_metric | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1316 | CKV2_AWS_37 | resource | aws_s3_bucket_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1317 | CKV2_AWS_37 | resource | aws_s3_bucket_object | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1318 | CKV2_AWS_37 | resource | aws_s3_bucket_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1319 | CKV2_AWS_37 | resource | aws_s3_bucket_public_access_block | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1320 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1321 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1322 | CKV2_AWS_37 | resource | aws_sagemaker_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1323 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1324 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1325 | CKV2_AWS_37 | resource | aws_secretsmanager_secret | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1326 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_rotation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1327 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1328 | CKV2_AWS_37 | resource | aws_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1329 | CKV2_AWS_37 | resource | aws_security_group_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1330 | CKV2_AWS_37 | resource | aws_securityhub_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1331 | CKV2_AWS_37 | resource | aws_securityhub_member | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1332 | CKV2_AWS_37 | resource | aws_securityhub_product_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1333 | CKV2_AWS_37 | resource | aws_securityhub_standards_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1334 | CKV2_AWS_37 | resource | aws_service_discovery_http_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1335 | CKV2_AWS_37 | resource | aws_service_discovery_private_dns_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1336 | CKV2_AWS_37 | resource | aws_service_discovery_public_dns_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1337 | CKV2_AWS_37 | resource | aws_service_discovery_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1338 | CKV2_AWS_37 | resource | aws_servicecatalog_portfolio | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1339 | CKV2_AWS_37 | resource | aws_servicequotas_service_quota | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1340 | CKV2_AWS_37 | resource | aws_ses_active_receipt_rule_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1341 | CKV2_AWS_37 | resource | aws_ses_configuration_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1342 | CKV2_AWS_37 | resource | aws_ses_domain_dkim | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1343 | CKV2_AWS_37 | resource | aws_ses_domain_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1344 | CKV2_AWS_37 | resource | aws_ses_domain_identity_verification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1345 | CKV2_AWS_37 | resource | aws_ses_domain_mail_from | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1346 | CKV2_AWS_37 | resource | aws_ses_email_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1347 | CKV2_AWS_37 | resource | aws_ses_event_destination | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1348 | CKV2_AWS_37 | resource | aws_ses_identity_notification_topic | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1349 | CKV2_AWS_37 | resource | aws_ses_identity_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1350 | CKV2_AWS_37 | resource | aws_ses_receipt_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1351 | CKV2_AWS_37 | resource | aws_ses_receipt_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1352 | CKV2_AWS_37 | resource | aws_ses_receipt_rule_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1353 | CKV2_AWS_37 | resource | aws_ses_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1354 | CKV2_AWS_37 | resource | aws_sfn_activity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1355 | CKV2_AWS_37 | resource | aws_sfn_state_machine | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1356 | CKV2_AWS_37 | resource | aws_shield_protection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1357 | CKV2_AWS_37 | resource | aws_simpledb_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1358 | CKV2_AWS_37 | resource | aws_snapshot_create_volume_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1359 | CKV2_AWS_37 | resource | aws_sns_platform_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1360 | CKV2_AWS_37 | resource | aws_sns_sms_preferences | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1361 | CKV2_AWS_37 | resource | aws_sns_topic | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1362 | CKV2_AWS_37 | resource | aws_sns_topic_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1363 | CKV2_AWS_37 | resource | aws_sns_topic_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1364 | CKV2_AWS_37 | resource | aws_spot_datafeed_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1365 | CKV2_AWS_37 | resource | aws_spot_fleet_request | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1366 | CKV2_AWS_37 | resource | aws_spot_instance_request | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1367 | CKV2_AWS_37 | resource | aws_sqs_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1368 | CKV2_AWS_37 | resource | aws_sqs_queue_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1369 | CKV2_AWS_37 | resource | aws_ssm_activation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1370 | CKV2_AWS_37 | resource | aws_ssm_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1371 | CKV2_AWS_37 | resource | aws_ssm_document | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1372 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1373 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1374 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1375 | CKV2_AWS_37 | resource | aws_ssm_parameter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1376 | CKV2_AWS_37 | resource | aws_ssm_patch_baseline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1377 | CKV2_AWS_37 | resource | aws_ssm_patch_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1378 | CKV2_AWS_37 | resource | aws_ssm_resource_data_sync | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1379 | CKV2_AWS_37 | resource | aws_storagegateway_cache | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1380 | CKV2_AWS_37 | resource | aws_storagegateway_cached_iscsi_volume | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1381 | CKV2_AWS_37 | resource | aws_storagegateway_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1382 | CKV2_AWS_37 | resource | aws_storagegateway_nfs_file_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1383 | CKV2_AWS_37 | resource | aws_storagegateway_smb_file_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1384 | CKV2_AWS_37 | resource | aws_storagegateway_upload_buffer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1385 | CKV2_AWS_37 | resource | aws_storagegateway_working_storage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1386 | CKV2_AWS_37 | resource | aws_subnet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1387 | CKV2_AWS_37 | resource | aws_swf_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1388 | CKV2_AWS_37 | resource | aws_transfer_server | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1389 | CKV2_AWS_37 | resource | aws_transfer_ssh_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1390 | CKV2_AWS_37 | resource | aws_transfer_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1391 | CKV2_AWS_37 | resource | aws_volume_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1392 | CKV2_AWS_37 | resource | aws_vpc | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1393 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1394 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1395 | CKV2_AWS_37 | resource | aws_vpc_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1396 | CKV2_AWS_37 | resource | aws_vpc_endpoint_connection_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1397 | CKV2_AWS_37 | resource | aws_vpc_endpoint_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1398 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1399 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service_allowed_principal | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1400 | CKV2_AWS_37 | resource | aws_vpc_endpoint_subnet_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1401 | CKV2_AWS_37 | resource | aws_vpc_ipv4_cidr_block_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1402 | CKV2_AWS_37 | resource | aws_vpc_peering_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1403 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1404 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1405 | CKV2_AWS_37 | resource | aws_vpn_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1406 | CKV2_AWS_37 | resource | aws_vpn_connection_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1407 | CKV2_AWS_37 | resource | aws_vpn_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1408 | CKV2_AWS_37 | resource | aws_vpn_gateway_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1409 | CKV2_AWS_37 | resource | aws_vpn_gateway_route_propagation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1410 | CKV2_AWS_37 | resource | aws_waf_byte_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1411 | CKV2_AWS_37 | resource | aws_waf_geo_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1412 | CKV2_AWS_37 | resource | aws_waf_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1413 | CKV2_AWS_37 | resource | aws_waf_rate_based_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1414 | CKV2_AWS_37 | resource | aws_waf_regex_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1415 | CKV2_AWS_37 | resource | aws_waf_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1416 | CKV2_AWS_37 | resource | aws_waf_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1417 | CKV2_AWS_37 | resource | aws_waf_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1418 | CKV2_AWS_37 | resource | aws_waf_size_constraint_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1419 | CKV2_AWS_37 | resource | aws_waf_sql_injection_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1420 | CKV2_AWS_37 | resource | aws_waf_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1421 | CKV2_AWS_37 | resource | aws_waf_xss_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1422 | CKV2_AWS_37 | resource | aws_wafregional_byte_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1423 | CKV2_AWS_37 | resource | aws_wafregional_geo_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1424 | CKV2_AWS_37 | resource | aws_wafregional_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1425 | CKV2_AWS_37 | resource | aws_wafregional_rate_based_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1426 | CKV2_AWS_37 | resource | aws_wafregional_regex_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1427 | CKV2_AWS_37 | resource | aws_wafregional_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1428 | CKV2_AWS_37 | resource | aws_wafregional_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1429 | CKV2_AWS_37 | resource | aws_wafregional_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1430 | CKV2_AWS_37 | resource | aws_wafregional_size_constraint_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1431 | CKV2_AWS_37 | resource | aws_wafregional_sql_injection_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1432 | CKV2_AWS_37 | resource | aws_wafregional_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1433 | CKV2_AWS_37 | resource | aws_wafregional_web_acl_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1434 | CKV2_AWS_37 | resource | aws_wafregional_xss_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1435 | CKV2_AWS_37 | resource | aws_wafv2_ip_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1436 | CKV2_AWS_37 | resource | aws_wafv2_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1437 | CKV2_AWS_37 | resource | aws_wafv2_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1438 | CKV2_AWS_37 | resource | aws_wafv2_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1439 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1440 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_logging_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1441 | CKV2_AWS_37 | resource | aws_worklink_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1442 | CKV2_AWS_37 | resource | aws_worklink_website_certificate_authority_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1443 | CKV2_AWS_37 | resource | aws_workspaces_directory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1444 | CKV2_AWS_37 | resource | aws_workspaces_ip_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1445 | CKV2_AWS_37 | resource | aws_workspaces_workspace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1446 | CKV2_AWS_37 | resource | aws_xray_sampling_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1447 | CKV2_AWS_38 | resource | aws_route53_zone | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml) | -| 1448 | CKV2_AWS_39 | resource | aws_route53_zone | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml) | -| 1449 | CKV2_AWS_40 | resource | aws_iam_group_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1450 | CKV2_AWS_40 | resource | aws_iam_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1451 | CKV2_AWS_40 | resource | aws_iam_role_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1452 | CKV2_AWS_40 | resource | aws_iam_user_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1453 | CKV2_AWS_40 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1454 | CKV2_AWS_40 | resource | data.aws_iam_policy_document | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1455 | CKV2_AWS_41 | resource | aws_instance | Ensure an IAM role is attached to EC2 instance | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml) | -| 1456 | CKV2_AWS_42 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution uses custom SSL certificate | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml) | -| 1457 | CKV2_AWS_43 | resource | aws_s3_bucket_acl | Ensure S3 Bucket does not allow access to all Authenticated users | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml) | -| 1458 | CKV2_AWS_44 | resource | aws_route | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | -| 1459 | CKV2_AWS_44 | resource | aws_route_table | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | -| 1460 | CKV2_AWS_45 | resource | aws_config_configuration_recorder | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | -| 1461 | CKV2_AWS_45 | resource | aws_config_configuration_recorder_status | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | -| 1462 | CKV2_AWS_46 | resource | aws_cloudfront_distribution | Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml) | -| 1463 | CKV2_AWS_47 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | -| 1464 | CKV2_AWS_47 | resource | aws_wafv2_web_acl | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | -| 1465 | CKV2_AWS_48 | resource | aws_config_configuration_recorder | Ensure AWS Config must record all possible resources | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml) | -| 1466 | CKV2_AWS_49 | resource | aws_dms_endpoint | Ensure AWS Database Migration Service endpoints have SSL configured | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) | -| 1467 | CKV2_AWS_50 | resource | aws_elasticache_replication_group | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml) | -| 1468 | CKV2_AWS_51 | resource | aws_api_gateway_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1469 | CKV2_AWS_51 | resource | aws_apigatewayv2_api | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1470 | CKV2_AWS_51 | resource | aws_apigatewayv2_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1471 | CKV2_AWS_52 | resource | aws_elasticsearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | -| 1472 | CKV2_AWS_52 | resource | aws_opensearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | -| 1473 | CKV2_AWS_53 | resource | aws_api_gateway_method | Ensure AWS API gateway request is validated | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml) | -| 1474 | CKV2_AWS_54 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml) | -| 1475 | CKV2_AWS_55 | resource | aws_emr_cluster | Ensure AWS EMR cluster is configured with security configuration | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml) | -| 1476 | CKV2_AWS_56 | resource | aws_iam_group_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1477 | CKV2_AWS_56 | resource | aws_iam_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1478 | CKV2_AWS_56 | resource | aws_iam_role | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1479 | CKV2_AWS_56 | resource | aws_iam_role_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1480 | CKV2_AWS_56 | resource | aws_iam_user_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1481 | CKV2_AWS_56 | resource | aws_ssoadmin_managed_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1482 | CKV2_AWS_56 | resource | data.aws_iam_policy | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1483 | CKV2_AWS_57 | resource | aws_secretsmanager_secret | Ensure Secrets Manager secrets should have automatic rotation enabled | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml) | -| 1484 | CKV2_AWS_58 | resource | aws_neptune_cluster | Ensure AWS Neptune cluster deletion protection is enabled | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml) | -| 1485 | CKV2_AWS_59 | resource | aws_elasticsearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | -| 1486 | CKV2_AWS_59 | resource | aws_opensearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | -| 1487 | CKV2_AWS_60 | resource | aws_db_instance | Ensure RDS instance with copy tags to snapshots is enabled | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml) | -| 1488 | CKV2_AWS_61 | resource | aws_s3_bucket | Ensure that an S3 bucket has a lifecycle configuration | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml) | -| 1489 | CKV2_AWS_62 | resource | aws_s3_bucket | Ensure S3 buckets should have event notifications enabled | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml) | -| 1490 | CKV2_AWS_63 | resource | aws_networkfirewall_firewall | Ensure Network firewall has logging configuration defined | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml) | -| 1491 | CKV2_AWS_64 | resource | aws_kms_key | Ensure KMS key Policy is defined | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml) | -| 1492 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | -| 1493 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | -| 1494 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | -| 1495 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | -| 1496 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | -| 1497 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | -| 1498 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py) | -| 1499 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py) | -| 1500 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py) | -| 1501 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'enable_https_traffic_only' is enabled | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py) | -| 1502 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | -| 1503 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | -| 1504 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py) | -| 1505 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | -| 1506 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | -| 1507 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py) | -| 1508 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | -| 1509 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | -| 1510 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py) | -| 1511 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | -| 1512 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | -| 1513 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py) | -| 1514 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | -| 1515 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | -| 1516 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py) | -| 1517 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 1518 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 1519 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 1520 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 1521 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | -| 1522 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | -| 1523 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 1524 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 1525 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 1526 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 1527 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | -| 1528 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | -| 1529 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | -| 1530 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | -| 1531 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1532 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1533 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1534 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1535 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1536 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1537 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1538 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1539 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1540 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1541 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1542 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1543 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py) | -| 1544 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 1545 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 1546 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1547 | CKV_AZURE_13 | resource | azurerm_linux_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1548 | CKV_AZURE_13 | resource | azurerm_windows_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1549 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 1550 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 1551 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | -| 1552 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | -| 1553 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1554 | CKV_AZURE_14 | resource | azurerm_linux_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1555 | CKV_AZURE_14 | resource | azurerm_windows_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1556 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | -| 1557 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | -| 1558 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1559 | CKV_AZURE_15 | resource | azurerm_linux_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1560 | CKV_AZURE_15 | resource | azurerm_windows_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1561 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | -| 1562 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | -| 1563 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1564 | CKV_AZURE_16 | resource | azurerm_linux_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1565 | CKV_AZURE_16 | resource | azurerm_windows_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1566 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | -| 1567 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | -| 1568 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1569 | CKV_AZURE_17 | resource | azurerm_linux_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1570 | CKV_AZURE_17 | resource | azurerm_windows_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1571 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | -| 1572 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | -| 1573 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1574 | CKV_AZURE_18 | resource | azurerm_linux_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1575 | CKV_AZURE_18 | resource | azurerm_windows_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1576 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | -| 1577 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | -| 1578 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py) | -| 1579 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | -| 1580 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | -| 1581 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py) | -| 1582 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | -| 1583 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | -| 1584 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py) | -| 1585 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | -| 1586 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | -| 1587 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py) | -| 1588 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | -| 1589 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 1590 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 1591 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | -| 1592 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 1593 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 1594 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1595 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1596 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1597 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py) | -| 1598 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py) | -| 1599 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1600 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1601 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1602 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | -| 1603 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | -| 1604 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py) | -| 1605 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | -| 1606 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | -| 1607 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py) | -| 1608 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | -| 1609 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | -| 1610 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py) | -| 1611 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | -| 1612 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | -| 1613 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py) | -| 1614 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | -| 1615 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | -| 1616 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py) | -| 1617 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1618 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1619 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1620 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1621 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1622 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 1623 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 1624 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py) | -| 1625 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 1626 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 1627 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1628 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1629 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1630 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1631 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1632 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | -| 1633 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | -| 1634 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py) | -| 1635 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1636 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1637 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py) | -| 1638 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1639 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1640 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1641 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1642 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py) | -| 1643 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1644 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1645 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1646 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py) | -| 1647 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1648 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1649 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1650 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | -| 1651 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | -| 1652 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py) | -| 1653 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | arm | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | -| 1654 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | Bicep | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | -| 1655 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py) | -| 1656 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | -| 1657 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | -| 1658 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py) | -| 1659 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | arm | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | -| 1660 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | Bicep | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | -| 1661 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py) | -| 1662 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | -| 1663 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | -| 1664 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py) | -| 1665 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | -| 1666 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | -| 1667 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py) | -| 1668 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py) | -| 1669 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py) | -| 1670 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py) | -| 1671 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | -| 1672 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | -| 1673 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py) | -| 1674 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py) | -| 1675 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | -| 1676 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | -| 1677 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py) | -| 1678 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | arm | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | -| 1679 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | Bicep | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | -| 1680 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | -| 1681 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | -| 1682 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py) | -| 1683 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py) | -| 1684 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py) | -| 1685 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py) | -| 1686 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py) | -| 1687 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1688 | CKV_AZURE_57 | resource | azurerm_linux_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1689 | CKV_AZURE_57 | resource | azurerm_windows_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1690 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | arm | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 1691 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | Bicep | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 1692 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 1693 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | arm | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | -| 1694 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | Bicep | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | -| 1695 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py) | -| 1696 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py) | -| 1697 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py) | -| 1698 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | arm | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | -| 1699 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | Bicep | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | -| 1700 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1701 | CKV_AZURE_63 | resource | azurerm_linux_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1702 | CKV_AZURE_63 | resource | azurerm_windows_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1703 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py) | -| 1704 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | arm | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | -| 1705 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | -| 1706 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1707 | CKV_AZURE_65 | resource | azurerm_linux_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1708 | CKV_AZURE_65 | resource | azurerm_windows_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1709 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | arm | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | -| 1710 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | -| 1711 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1712 | CKV_AZURE_66 | resource | azurerm_linux_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1713 | CKV_AZURE_66 | resource | azurerm_windows_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1714 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | -| 1715 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | -| 1716 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py) | -| 1717 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py) | -| 1718 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1719 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1720 | CKV_AZURE_71 | resource | azurerm_linux_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1721 | CKV_AZURE_71 | resource | azurerm_windows_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1722 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1723 | CKV_AZURE_72 | resource | azurerm_linux_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1724 | CKV_AZURE_72 | resource | azurerm_windows_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1725 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1726 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1727 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1728 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1729 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py) | -| 1730 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py) | -| 1731 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py) | -| 1732 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | -| 1733 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | -| 1734 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1735 | CKV_AZURE_78 | resource | azurerm_linux_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1736 | CKV_AZURE_78 | resource | azurerm_windows_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1737 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py) | -| 1738 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | arm | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | -| 1739 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | -| 1740 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | -| 1741 | CKV_AZURE_80 | resource | azurerm_windows_web_app | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | -| 1742 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py) | -| 1743 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py) | -| 1744 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py) | -| 1745 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py) | -| 1746 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py) | -| 1747 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py) | -| 1748 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py) | -| 1749 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1750 | CKV_AZURE_88 | resource | azurerm_linux_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1751 | CKV_AZURE_88 | resource | azurerm_windows_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1752 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | arm | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | -| 1753 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | -| 1754 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py) | -| 1755 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py) | -| 1756 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | -| 1757 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | -| 1758 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | -| 1759 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | -| 1760 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py) | -| 1761 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | arm | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | -| 1762 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | -| 1763 | CKV_AZURE_94 | resource | azurerm_mysql_flexible_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | -| 1764 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | -| 1765 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py) | -| 1766 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | [MySQLEncryptionEnaled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnaled.py) | -| 1767 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | -| 1768 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | -| 1769 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py) | -| 1770 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py) | -| 1771 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | arm | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | -| 1772 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | -| 1773 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py) | -| 1774 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | arm | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | -| 1775 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | -| 1776 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py) | -| 1777 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py) | -| 1778 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py) | -| 1779 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py) | -| 1780 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py) | -| 1781 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py) | -| 1782 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | arm | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | -| 1783 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | -| 1784 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py) | -| 1785 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py) | -| 1786 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | arm | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | -| 1787 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | -| 1788 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py) | -| 1789 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py) | -| 1790 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | arm | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | -| 1791 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | -| 1792 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py) | -| 1793 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | arm | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | -| 1794 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | -| 1795 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py) | -| 1796 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | arm | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | -| 1797 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | -| 1798 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py) | -| 1799 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | arm | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | -| 1800 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | -| 1801 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py) | -| 1802 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py) | -| 1803 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py) | -| 1804 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py) | -| 1805 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py) | -| 1806 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml) | -| 1807 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | -| 1808 | CKV_AZURE_120 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | -| 1809 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | arm | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | -| 1810 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | -| 1811 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py) | -| 1812 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py) | -| 1813 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | arm | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | -| 1814 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | -| 1815 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py) | -| 1816 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py) | -| 1817 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py) | -| 1818 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py) | -| 1819 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py) | -| 1820 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py) | -| 1821 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py) | -| 1822 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | arm | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | -| 1823 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | -| 1824 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py) | -| 1825 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py) | -| 1826 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py) | -| 1827 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py) | -| 1828 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | -| 1829 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | -| 1830 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py) | -| 1831 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py) | -| 1832 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | arm | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | -| 1833 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | -| 1834 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py) | -| 1835 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py) | -| 1836 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py) | -| 1837 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py) | -| 1838 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py) | -| 1839 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py) | -| 1840 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py) | -| 1841 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py) | -| 1842 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py) | -| 1843 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py) | -| 1844 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py) | -| 1845 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1846 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py) | -| 1847 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py) | -| 1848 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py) | -| 1849 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | -| 1850 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | -| 1851 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py) | -| 1852 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | arm | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | -| 1853 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | -| 1854 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | -| 1855 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | -| 1856 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1857 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | -| 1858 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | -| 1859 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | -| 1860 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | -| 1861 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | -| 1862 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1863 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1864 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1865 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1866 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1867 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1868 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1869 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1870 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | -| 1871 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | -| 1872 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | -| 1873 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | -| 1874 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | -| 1875 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | -| 1876 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | -| 1877 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1878 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1879 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | -| 1880 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | -| 1881 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | -| 1882 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | -| 1883 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | -| 1884 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | -| 1885 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | -| 1886 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | -| 1887 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1888 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1889 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1890 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1891 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1892 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1893 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1894 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1895 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | -| 1896 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | -| 1897 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1898 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1899 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | -| 1900 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | -| 1901 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | -| 1902 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | -| 1903 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | -| 1904 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | -| 1905 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | -| 1906 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | -| 1907 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | -| 1908 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | -| 1909 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | -| 1910 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | -| 1911 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | -| 1912 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | -| 1913 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | -| 1914 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | -| 1915 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | -| 1916 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | -| 1917 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | -| 1918 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | -| 1919 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | -| 1920 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | -| 1921 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | -| 1922 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | -| 1923 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | -| 1924 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | -| 1925 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | -| 1926 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | -| 1927 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | -| 1928 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | -| 1929 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1930 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1931 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1932 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1933 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1934 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | -| 1935 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 1936 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 1937 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | -| 1938 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | -| 1939 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | -| 1940 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | -| 1941 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | -| 1942 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | -| 1943 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1944 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1945 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1946 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1947 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1948 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1949 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1950 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1951 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1952 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1953 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1954 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1955 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1956 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1957 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 1958 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 1959 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | -| 1960 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1961 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1962 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1963 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | -| 1964 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 1965 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 1966 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | -| 1967 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | -| 1968 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 1969 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 1970 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 1971 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 1972 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | -| 1973 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 1974 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 1975 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 1976 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 1977 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | -| 1978 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1979 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1980 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1981 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1982 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1983 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1984 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 1985 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 1986 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | -| 1987 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | -| 1988 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | -| 1989 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | -| 1990 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | -| 1991 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | -| 1992 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | -| 1993 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | -| 1994 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | -| 1995 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | -| 1996 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | -| 1997 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | -| 1998 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | -| 1999 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | -| 2000 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | -| 2001 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | -| 2002 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | -| 2003 | CKV_AZUREPIPELINES_1 | azure_pipelines | jobs | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | -| 2004 | CKV_AZUREPIPELINES_1 | azure_pipelines | stages[].jobs[] | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | -| 2005 | CKV_AZUREPIPELINES_2 | azure_pipelines | jobs | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | -| 2006 | CKV_AZUREPIPELINES_2 | azure_pipelines | stages[].jobs[] | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | -| 2007 | CKV_AZUREPIPELINES_3 | azure_pipelines | jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | -| 2008 | CKV_AZUREPIPELINES_3 | azure_pipelines | stages[].jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | -| 2009 | CKV_AZUREPIPELINES_5 | azure_pipelines | *.container[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2010 | CKV_AZUREPIPELINES_5 | azure_pipelines | jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2011 | CKV_AZUREPIPELINES_5 | azure_pipelines | stages[].jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2012 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | -| 2013 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket/checks/merge_requests_approvals.py) | -| 2014 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | [{image:image,__startline__:__startline__,__endline__:__endline__}] | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2015 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2016 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2017 | CKV_CIRCLECIPIPELINES_1 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | circleci_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/latest_image.py) | -| 2018 | CKV_CIRCLECIPIPELINES_2 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image version is referenced via hash not arbitrary tag. | circleci_pipelines | [image_version_not_hash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/image_version_not_hash.py) | -| 2019 | CKV_CIRCLECIPIPELINES_3 | circleci_pipelines | orbs.{orbs: @} | Ensure mutable development orbs are not used. | circleci_pipelines | [prevent_development_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_development_orbs.py) | -| 2020 | CKV_CIRCLECIPIPELINES_4 | circleci_pipelines | orbs.{orbs: @} | Ensure unversioned volatile orbs are not used. | circleci_pipelines | [prevent_volatile_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_volatile_orbs.py) | -| 2021 | CKV_CIRCLECIPIPELINES_5 | circleci_pipelines | jobs.*.steps[] | Suspicious use of netcat with IP address | circleci_pipelines | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ReverseShellNetcat.py) | -| 2022 | CKV_CIRCLECIPIPELINES_6 | circleci_pipelines | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | circleci_pipelines | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ShellInjection.py) | -| 2023 | CKV_CIRCLECIPIPELINES_7 | circleci_pipelines | jobs.*.steps[] | Suspicious use of curl in run task | circleci_pipelines | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/SuspectCurlInScript.py) | -| 2024 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | -| 2025 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | -| 2026 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | -| 2027 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | -| 2028 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | -| 2029 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | -| 2030 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | [ExposePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ExposePort22.py) | -| 2031 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | [HealthcheckExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/HealthcheckExists.py) | -| 2032 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | [UserExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UserExists.py) | -| 2033 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | [AddExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AddExists.py) | -| 2034 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | [UpdateNotAlone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UpdateNotAlone.py) | -| 2035 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | [MaintainerExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/MaintainerExists.py) | -| 2036 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | [ReferenceLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ReferenceLatestTag.py) | -| 2037 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | [RootUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RootUser.py) | -| 2038 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile | [RunUsingAPT.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py) | -| 2039 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile | [WorkdirIsAbsolute.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/WorkdirIsAbsolute.py) | -| 2040 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile | [AliasIsUnique.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AliasIsUnique.py) | -| 2041 | CKV2_DOCKER_1 | resource | RUN | Ensure that sudo isn't used | dockerfile | [RunUsingSudo.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUsingSudo.yaml) | -| 2042 | CKV2_DOCKER_2 | resource | RUN | Ensure that certificate validation isn't disabled with curl | dockerfile | [RunUnsafeCurl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeCurl.yaml) | -| 2043 | CKV2_DOCKER_3 | resource | RUN | Ensure that certificate validation isn't disabled with wget | dockerfile | [RunUnsafeWget.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeWget.yaml) | -| 2044 | CKV2_DOCKER_4 | resource | RUN | Ensure that certificate validation isn't disabled with the pip '--trusted-host' option | dockerfile | [RunPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunPipTrustedHost.yaml) | -| 2045 | CKV2_DOCKER_5 | resource | ARG | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2046 | CKV2_DOCKER_5 | resource | ENV | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2047 | CKV2_DOCKER_5 | resource | RUN | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2048 | CKV2_DOCKER_6 | resource | ARG | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2049 | CKV2_DOCKER_6 | resource | ENV | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2050 | CKV2_DOCKER_6 | resource | RUN | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2051 | CKV2_DOCKER_7 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option | dockerfile | [RunApkAllowUntrusted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunApkAllowUntrusted.yaml) | -| 2052 | CKV2_DOCKER_8 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option | dockerfile | [RunAptGetAllowUnauthenticated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetAllowUnauthenticated.yaml) | -| 2053 | CKV2_DOCKER_9 | resource | RUN | Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option | dockerfile | [RunYumNoGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumNoGpgCheck.yaml) | -| 2054 | CKV2_DOCKER_10 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options | dockerfile | [RunRpmNoSignature.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunRpmNoSignature.yaml) | -| 2055 | CKV2_DOCKER_11 | resource | RUN | Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | dockerfile | [RunAptGetForceYes.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetForceYes.yaml) | -| 2056 | CKV2_DOCKER_12 | resource | ARG | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2057 | CKV2_DOCKER_12 | resource | ENV | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2058 | CKV2_DOCKER_12 | resource | RUN | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2059 | CKV2_DOCKER_13 | resource | RUN | Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false | dockerfile | [RunNpmConfigSetStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunNpmConfigSetStrictSsl.yaml) | -| 2060 | CKV2_DOCKER_14 | resource | ARG | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2061 | CKV2_DOCKER_14 | resource | ENV | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2062 | CKV2_DOCKER_14 | resource | RUN | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2063 | CKV2_DOCKER_15 | resource | RUN | Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option | dockerfile | [RunYumConfigManagerSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumConfigManagerSslVerify.yaml) | -| 2064 | CKV2_DOCKER_16 | resource | ARG | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2065 | CKV2_DOCKER_16 | resource | ENV | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2066 | CKV2_DOCKER_16 | resource | RUN | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2067 | CKV2_DOCKER_17 | resource | RUN | Ensure that 'chpasswd' is not used to set or remove passwords | dockerfile | [RunChpasswd.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml) | -| 2068 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | -| 2069 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | -| 2070 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | -| 2071 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | -| 2072 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | -| 2073 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | -| 2074 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | -| 2075 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | -| 2076 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | -| 2077 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | -| 2078 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | -| 2079 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | -| 2080 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | -| 2081 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | -| 2082 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | -| 2083 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | -| 2084 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | -| 2085 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py) | -| 2086 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | -| 2087 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | -| 2088 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | -| 2089 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | -| 2090 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | -| 2091 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | -| 2092 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | -| 2093 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | -| 2094 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 2095 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 2096 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | -| 2097 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2098 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2099 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2100 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2101 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2102 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2103 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2104 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2105 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2106 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | -| 2107 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2108 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2109 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2110 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2111 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2112 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2113 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2114 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2115 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2116 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | -| 2117 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | -| 2118 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2119 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2120 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2121 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2122 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2123 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2124 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 2125 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 2126 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | -| 2127 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | -| 2128 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 2129 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 2130 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 2131 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 2132 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 2133 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 2134 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 2135 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 2136 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 2137 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 2138 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 2139 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 2140 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | -| 2141 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | -| 2142 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | -| 2143 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | -| 2144 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | -| 2145 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | -| 2146 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | -| 2147 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | -| 2148 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | -| 2149 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | -| 2150 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | -| 2151 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | -| 2152 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | -| 2153 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | -| 2154 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | -| 2155 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | -| 2156 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | -| 2157 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 2158 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 2159 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 2160 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 2161 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | -| 2162 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | -| 2163 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 2164 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 2165 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | -| 2166 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | -| 2167 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | -| 2168 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | -| 2169 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | -| 2170 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | -| 2171 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | -| 2172 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | -| 2173 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | -| 2174 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | -| 2175 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | -| 2176 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | -| 2177 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | -| 2178 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | -| 2179 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | -| 2180 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | -| 2181 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | -| 2182 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | -| 2183 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | -| 2184 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | -| 2185 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | -| 2186 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | -| 2187 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | -| 2188 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | -| 2189 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | -| 2190 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 2191 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 2192 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 2193 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 2194 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 2195 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 2196 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 2197 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 2198 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 2199 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 2200 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | -| 2201 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | -| 2202 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | -| 2203 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | -| 2204 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2205 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2206 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2207 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2208 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | -| 2209 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | -| 2210 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | -| 2211 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | -| 2212 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2213 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2214 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2215 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | -| 2216 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | -| 2217 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 2218 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 2219 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 2220 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 2221 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 2222 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 2223 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | -| 2224 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | -| 2225 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | -| 2226 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | -| 2227 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2228 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2229 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2230 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2231 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 2232 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 2233 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2234 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2235 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2236 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 2237 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 2238 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2239 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2240 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2241 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2242 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2243 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2244 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | -| 2245 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | -| 2246 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | -| 2247 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | -| 2248 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | -| 2249 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | -| 2250 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | -| 2251 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | -| 2252 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | -| 2253 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | -| 2254 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | -| 2255 | CKV_GHA_1 | jobs | jobs | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | -| 2256 | CKV_GHA_1 | jobs | jobs.*.steps[] | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | -| 2257 | CKV_GHA_2 | jobs | jobs | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | -| 2258 | CKV_GHA_2 | jobs | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | -| 2259 | CKV_GHA_3 | jobs | jobs | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | -| 2260 | CKV_GHA_3 | jobs | jobs.*.steps[] | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | -| 2261 | CKV_GHA_4 | jobs | jobs | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | -| 2262 | CKV_GHA_4 | jobs | jobs.*.steps[] | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | -| 2263 | CKV_GHA_5 | jobs | jobs | Found artifact build without evidence of cosign sign execution in pipeline | github_actions | [CosignArtifacts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignArtifacts.py) | -| 2264 | CKV_GHA_6 | jobs | jobs | Found artifact build without evidence of cosign sbom attestation in pipeline | github_actions | [CosignSBOM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignSBOM.py) | -| 2265 | CKV_GHA_7 | jobs | on | The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. | github_actions | [EmptyWorkflowDispatch.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/EmptyWorkflowDispatch.py) | -| 2266 | CKV2_GHA_1 | resource | permissions | Ensure top-level permissions are not set to write-all | github_actions | [ReadOnlyTopLevelPermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/graph_checks/ReadOnlyTopLevelPermissions.yaml) | -| 2267 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | -| 2268 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | -| 2269 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | -| 2270 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2271 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2272 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2273 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 2274 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 2275 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 2276 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 2277 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | -| 2278 | CKV_GITHUB_1 | github_configuration | * | Ensure GitHub organization security settings require 2FA | github_configuration | [2fa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/2fa.py) | -| 2279 | CKV_GITHUB_2 | github_configuration | * | Ensure GitHub organization security settings require SSO | github_configuration | [sso.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/sso.py) | -| 2280 | CKV_GITHUB_3 | github_configuration | * | Ensure GitHub organization security settings has IP allow list enabled | github_configuration | [ipallowlist.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/ipallowlist.py) | -| 2281 | CKV_GITHUB_4 | github_configuration | * | Ensure GitHub branch protection rules requires signed commits | github_configuration | [require_signatures.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_signatures.py) | -| 2282 | CKV_GITHUB_5 | github_configuration | * | Ensure GitHub branch protection rules does not allow force pushes | github_configuration | [disallow_force_pushes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_force_pushes.py) | -| 2283 | CKV_GITHUB_6 | github_configuration | * | Ensure GitHub organization webhooks are using HTTPS | github_configuration | [webhooks_https_orgs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_orgs.py) | -| 2284 | CKV_GITHUB_7 | github_configuration | * | Ensure GitHub repository webhooks are using HTTPS | github_configuration | [webhooks_https_repos.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_repos.py) | -| 2285 | CKV_GITHUB_8 | github_configuration | * | Ensure GitHub branch protection rules requires linear history | github_configuration | [require_linear_history.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_linear_history.py) | -| 2286 | CKV_GITHUB_9 | github_configuration | * | Ensure 2 admins are set for each repository | github_configuration | [repository_collaborators.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/repository_collaborators.py) | -| 2287 | CKV_GITHUB_10 | github_configuration | * | Ensure branch protection rules are enforced on administrators | github_configuration | [enforce_branch_protection_admins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/enforce_branch_protection_admins.py) | -| 2288 | CKV_GITHUB_11 | github_configuration | * | Ensure GitHub branch protection dismisses stale review on new commit | github_configuration | [dismiss_stale_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/dismiss_stale_reviews.py) | -| 2289 | CKV_GITHUB_12 | github_configuration | * | Ensure GitHub branch protection restricts who can dismiss PR reviews | github_configuration | [restrict_pr_review_dismissal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/restrict_pr_review_dismissal.py) | -| 2290 | CKV_GITHUB_13 | github_configuration | * | Ensure GitHub branch protection requires CODEOWNER reviews | github_configuration | [require_code_owner_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_code_owner_reviews.py) | -| 2291 | CKV_GITHUB_14 | github_configuration | * | Ensure all checks have passed before the merge of new code | github_configuration | [require_status_checks_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_status_checks_pr.py) | -| 2292 | CKV_GITHUB_15 | github_configuration | * | Ensure inactive branches are reviewed and removed periodically | github_configuration | [disallow_inactive_branch_60days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_inactive_branch_60days.py) | -| 2293 | CKV_GITHUB_16 | github_configuration | * | Ensure GitHub branch protection requires conversation resolution | github_configuration | [require_conversation_resolution.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_conversation_resolution.py) | -| 2294 | CKV_GITHUB_17 | github_configuration | * | Ensure GitHub branch protection requires push restrictions | github_configuration | [require_push_restrictions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_push_restrictions.py) | -| 2295 | CKV_GITHUB_18 | github_configuration | * | Ensure GitHub branch protection rules does not allow deletions | github_configuration | [disallow_branch_deletions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_branch_deletions.py) | -| 2296 | CKV_GITHUB_19 | github_configuration | * | Ensure any change to code receives approval of two strongly authenticated users | github_configuration | [require_2approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_2approvals.py) | -| 2297 | CKV_GITHUB_20 | github_configuration | * | Ensure open git branches are up to date before they can be merged into codebase | github_configuration | [require_updated_branch_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_updated_branch_pr.py) | -| 2298 | CKV_GITHUB_21 | github_configuration | * | Ensure public repository creation is limited to specific members | github_configuration | [public_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/public_repository_creation_is_limited.py) | -| 2299 | CKV_GITHUB_22 | github_configuration | * | Ensure private repository creation is limited to specific members | github_configuration | [private_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/private_repository_creation_is_limited.py) | -| 2300 | CKV_GITHUB_23 | github_configuration | * | Ensure internal repository creation is limited to specific members | github_configuration | [internal_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/internal_repository_creation_is_limited.py) | -| 2301 | CKV_GITHUB_26 | github_configuration | * | Ensure minimum admins are set for the organization | github_configuration | [minimum_admins_in_org.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/minimum_admins_in_org.py) | -| 2302 | CKV_GITHUB_27 | github_configuration | * | Ensure strict base permissions are set for repositories | github_configuration | [require_strict_base_permissions_repository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_strict_base_permissions_repository.py) | -| 2303 | CKV_GITHUB_28 | github_configuration | * | Ensure an organization's identity is confirmed with a Verified badge Passed | github_configuration | [require_verified_organization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_verified_organization.py) | -| 2304 | CKV_GITLAB_1 | gitlab_configuration | * | Merge requests should require at least 2 approvals | gitlab_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/merge_requests_approvals.py) | -| 2305 | CKV_GITLAB_2 | gitlab_configuration | * | Ensure all Gitlab groups require two factor authentication | gitlab_configuration | [two_factor_authentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/two_factor_authentication.py) | -| 2306 | CKV_GITLABCI_1 | jobs | *.script[] | Suspicious use of curl with CI environment variables in script | gitlab_ci | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/SuspectCurlInScript.py) | -| 2307 | CKV_GITLABCI_2 | jobs | *.rules | Avoid creating rules that generate double pipelines | gitlab_ci | [AvoidDoublePipelines.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/AvoidDoublePipelines.py) | -| 2308 | CKV_GITLABCI_3 | jobs | *.image[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | -| 2309 | CKV_GITLABCI_3 | jobs | *.services[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | -| 2310 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | -| 2311 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | -| 2312 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | -| 2313 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | -| 2314 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py) | -| 2315 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | -| 2316 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | [PrivilegedContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py) | -| 2317 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | -| 2318 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py) | -| 2319 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | -| 2320 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py) | -| 2321 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | -| 2322 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py) | -| 2323 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | -| 2324 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | [RootContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py) | -| 2325 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | -| 2326 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilitiesPSP.py) | -| 2327 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | -| 2328 | CKV_K8S_8 | resource | DaemonSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2329 | CKV_K8S_8 | resource | Deployment | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2330 | CKV_K8S_8 | resource | DeploymentConfig | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2331 | CKV_K8S_8 | resource | Pod | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2332 | CKV_K8S_8 | resource | PodTemplate | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2333 | CKV_K8S_8 | resource | ReplicaSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2334 | CKV_K8S_8 | resource | ReplicationController | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2335 | CKV_K8S_8 | resource | StatefulSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2336 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2337 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2338 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2339 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2340 | CKV_K8S_9 | resource | DaemonSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2341 | CKV_K8S_9 | resource | Deployment | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2342 | CKV_K8S_9 | resource | DeploymentConfig | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2343 | CKV_K8S_9 | resource | Pod | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2344 | CKV_K8S_9 | resource | PodTemplate | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2345 | CKV_K8S_9 | resource | ReplicaSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2346 | CKV_K8S_9 | resource | ReplicationController | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2347 | CKV_K8S_9 | resource | StatefulSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2348 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2349 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2350 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2351 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2352 | CKV_K8S_10 | resource | CronJob | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2353 | CKV_K8S_10 | resource | DaemonSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2354 | CKV_K8S_10 | resource | Deployment | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2355 | CKV_K8S_10 | resource | DeploymentConfig | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2356 | CKV_K8S_10 | resource | Job | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2357 | CKV_K8S_10 | resource | Pod | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2358 | CKV_K8S_10 | resource | PodTemplate | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2359 | CKV_K8S_10 | resource | ReplicaSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2360 | CKV_K8S_10 | resource | ReplicationController | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2361 | CKV_K8S_10 | resource | StatefulSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2362 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2363 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2364 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2365 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2366 | CKV_K8S_11 | resource | CronJob | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2367 | CKV_K8S_11 | resource | DaemonSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2368 | CKV_K8S_11 | resource | Deployment | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2369 | CKV_K8S_11 | resource | DeploymentConfig | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2370 | CKV_K8S_11 | resource | Job | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2371 | CKV_K8S_11 | resource | Pod | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2372 | CKV_K8S_11 | resource | PodTemplate | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2373 | CKV_K8S_11 | resource | ReplicaSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2374 | CKV_K8S_11 | resource | ReplicationController | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2375 | CKV_K8S_11 | resource | StatefulSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2376 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2377 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2378 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2379 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2380 | CKV_K8S_12 | resource | CronJob | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2381 | CKV_K8S_12 | resource | DaemonSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2382 | CKV_K8S_12 | resource | Deployment | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2383 | CKV_K8S_12 | resource | DeploymentConfig | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2384 | CKV_K8S_12 | resource | Job | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2385 | CKV_K8S_12 | resource | Pod | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2386 | CKV_K8S_12 | resource | PodTemplate | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2387 | CKV_K8S_12 | resource | ReplicaSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2388 | CKV_K8S_12 | resource | ReplicationController | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2389 | CKV_K8S_12 | resource | StatefulSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2390 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2391 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2392 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2393 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2394 | CKV_K8S_13 | resource | CronJob | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2395 | CKV_K8S_13 | resource | DaemonSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2396 | CKV_K8S_13 | resource | Deployment | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2397 | CKV_K8S_13 | resource | DeploymentConfig | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2398 | CKV_K8S_13 | resource | Job | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2399 | CKV_K8S_13 | resource | Pod | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2400 | CKV_K8S_13 | resource | PodTemplate | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2401 | CKV_K8S_13 | resource | ReplicaSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2402 | CKV_K8S_13 | resource | ReplicationController | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2403 | CKV_K8S_13 | resource | StatefulSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2404 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2405 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2406 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2407 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2408 | CKV_K8S_14 | resource | CronJob | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2409 | CKV_K8S_14 | resource | DaemonSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2410 | CKV_K8S_14 | resource | Deployment | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2411 | CKV_K8S_14 | resource | DeploymentConfig | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2412 | CKV_K8S_14 | resource | Job | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2413 | CKV_K8S_14 | resource | Pod | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2414 | CKV_K8S_14 | resource | PodTemplate | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2415 | CKV_K8S_14 | resource | ReplicaSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2416 | CKV_K8S_14 | resource | ReplicationController | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2417 | CKV_K8S_14 | resource | StatefulSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2418 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2419 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2420 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2421 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2422 | CKV_K8S_15 | resource | CronJob | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2423 | CKV_K8S_15 | resource | DaemonSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2424 | CKV_K8S_15 | resource | Deployment | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2425 | CKV_K8S_15 | resource | DeploymentConfig | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2426 | CKV_K8S_15 | resource | Job | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2427 | CKV_K8S_15 | resource | Pod | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2428 | CKV_K8S_15 | resource | PodTemplate | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2429 | CKV_K8S_15 | resource | ReplicaSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2430 | CKV_K8S_15 | resource | ReplicationController | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2431 | CKV_K8S_15 | resource | StatefulSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2432 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2433 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2434 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2435 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2436 | CKV_K8S_16 | resource | CronJob | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2437 | CKV_K8S_16 | resource | DaemonSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2438 | CKV_K8S_16 | resource | Deployment | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2439 | CKV_K8S_16 | resource | DeploymentConfig | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2440 | CKV_K8S_16 | resource | Job | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2441 | CKV_K8S_16 | resource | Pod | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2442 | CKV_K8S_16 | resource | PodTemplate | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2443 | CKV_K8S_16 | resource | ReplicaSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2444 | CKV_K8S_16 | resource | ReplicationController | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2445 | CKV_K8S_16 | resource | StatefulSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2446 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2447 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2448 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2449 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2450 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2451 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2452 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2453 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2454 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2455 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2456 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2457 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2458 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2459 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2460 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2461 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2462 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2463 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2464 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2465 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2466 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2467 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2468 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2469 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2470 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2471 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2472 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2473 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2474 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2475 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2476 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2477 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2478 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2479 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2480 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2481 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2482 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2483 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2484 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2485 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2486 | CKV_K8S_20 | resource | CronJob | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2487 | CKV_K8S_20 | resource | DaemonSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2488 | CKV_K8S_20 | resource | Deployment | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2489 | CKV_K8S_20 | resource | DeploymentConfig | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2490 | CKV_K8S_20 | resource | Job | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2491 | CKV_K8S_20 | resource | Pod | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2492 | CKV_K8S_20 | resource | PodTemplate | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2493 | CKV_K8S_20 | resource | ReplicaSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2494 | CKV_K8S_20 | resource | ReplicationController | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2495 | CKV_K8S_20 | resource | StatefulSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2496 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2497 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2498 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2499 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2500 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2501 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2502 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2503 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2504 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2505 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2506 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2507 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2508 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2509 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2510 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2511 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2512 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2513 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2514 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2515 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2516 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2517 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2518 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2519 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2520 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2521 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2522 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2523 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2524 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2525 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2526 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2527 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2528 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2529 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2530 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2531 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2532 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2533 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2534 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2535 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2536 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2537 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2538 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2539 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2540 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2541 | CKV_K8S_22 | resource | CronJob | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2542 | CKV_K8S_22 | resource | DaemonSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2543 | CKV_K8S_22 | resource | Deployment | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2544 | CKV_K8S_22 | resource | DeploymentConfig | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2545 | CKV_K8S_22 | resource | Job | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2546 | CKV_K8S_22 | resource | Pod | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2547 | CKV_K8S_22 | resource | PodTemplate | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2548 | CKV_K8S_22 | resource | ReplicaSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2549 | CKV_K8S_22 | resource | ReplicationController | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2550 | CKV_K8S_22 | resource | StatefulSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2551 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2552 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2553 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2554 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2555 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2556 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2557 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2558 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2559 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2560 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2561 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2562 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2563 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesPSP.py) | -| 2564 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | -| 2565 | CKV_K8S_25 | resource | CronJob | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2566 | CKV_K8S_25 | resource | DaemonSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2567 | CKV_K8S_25 | resource | Deployment | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2568 | CKV_K8S_25 | resource | DeploymentConfig | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2569 | CKV_K8S_25 | resource | Job | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2570 | CKV_K8S_25 | resource | Pod | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2571 | CKV_K8S_25 | resource | PodTemplate | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2572 | CKV_K8S_25 | resource | ReplicaSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2573 | CKV_K8S_25 | resource | ReplicationController | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2574 | CKV_K8S_25 | resource | StatefulSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2575 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2576 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2577 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2578 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2579 | CKV_K8S_26 | resource | CronJob | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2580 | CKV_K8S_26 | resource | DaemonSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2581 | CKV_K8S_26 | resource | Deployment | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2582 | CKV_K8S_26 | resource | DeploymentConfig | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2583 | CKV_K8S_26 | resource | Job | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2584 | CKV_K8S_26 | resource | Pod | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2585 | CKV_K8S_26 | resource | PodTemplate | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2586 | CKV_K8S_26 | resource | ReplicaSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2587 | CKV_K8S_26 | resource | ReplicationController | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2588 | CKV_K8S_26 | resource | StatefulSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2589 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2590 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2591 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2592 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2593 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2594 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2595 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2596 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2597 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2598 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2599 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2600 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2601 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2602 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2603 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2604 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2605 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2606 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2607 | CKV_K8S_28 | resource | CronJob | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2608 | CKV_K8S_28 | resource | DaemonSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2609 | CKV_K8S_28 | resource | Deployment | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2610 | CKV_K8S_28 | resource | DeploymentConfig | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2611 | CKV_K8S_28 | resource | Job | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2612 | CKV_K8S_28 | resource | Pod | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2613 | CKV_K8S_28 | resource | PodTemplate | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2614 | CKV_K8S_28 | resource | ReplicaSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2615 | CKV_K8S_28 | resource | ReplicationController | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2616 | CKV_K8S_28 | resource | StatefulSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2617 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2618 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2619 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2620 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2621 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2622 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2623 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2624 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2625 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2626 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2627 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2628 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2629 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2630 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2631 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2632 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2633 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2634 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2635 | CKV_K8S_30 | resource | CronJob | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2636 | CKV_K8S_30 | resource | DaemonSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2637 | CKV_K8S_30 | resource | Deployment | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2638 | CKV_K8S_30 | resource | DeploymentConfig | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2639 | CKV_K8S_30 | resource | Job | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2640 | CKV_K8S_30 | resource | Pod | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2641 | CKV_K8S_30 | resource | PodTemplate | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2642 | CKV_K8S_30 | resource | ReplicaSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2643 | CKV_K8S_30 | resource | ReplicationController | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2644 | CKV_K8S_30 | resource | StatefulSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2645 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2646 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2647 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2648 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2649 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2650 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2651 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2652 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2653 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2654 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2655 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2656 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2657 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py) | -| 2658 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | -| 2659 | CKV_K8S_33 | resource | CronJob | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2660 | CKV_K8S_33 | resource | DaemonSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2661 | CKV_K8S_33 | resource | Deployment | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2662 | CKV_K8S_33 | resource | DeploymentConfig | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2663 | CKV_K8S_33 | resource | Job | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2664 | CKV_K8S_33 | resource | Pod | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2665 | CKV_K8S_33 | resource | PodTemplate | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2666 | CKV_K8S_33 | resource | ReplicaSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2667 | CKV_K8S_33 | resource | ReplicationController | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2668 | CKV_K8S_33 | resource | StatefulSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2669 | CKV_K8S_34 | resource | CronJob | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2670 | CKV_K8S_34 | resource | DaemonSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2671 | CKV_K8S_34 | resource | Deployment | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2672 | CKV_K8S_34 | resource | DeploymentConfig | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2673 | CKV_K8S_34 | resource | Job | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2674 | CKV_K8S_34 | resource | Pod | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2675 | CKV_K8S_34 | resource | PodTemplate | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2676 | CKV_K8S_34 | resource | ReplicaSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2677 | CKV_K8S_34 | resource | ReplicationController | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2678 | CKV_K8S_34 | resource | StatefulSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2679 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2680 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2681 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2682 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2683 | CKV_K8S_35 | resource | CronJob | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2684 | CKV_K8S_35 | resource | DaemonSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2685 | CKV_K8S_35 | resource | Deployment | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2686 | CKV_K8S_35 | resource | DeploymentConfig | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2687 | CKV_K8S_35 | resource | Job | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2688 | CKV_K8S_35 | resource | Pod | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2689 | CKV_K8S_35 | resource | PodTemplate | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2690 | CKV_K8S_35 | resource | ReplicaSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2691 | CKV_K8S_35 | resource | ReplicationController | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2692 | CKV_K8S_35 | resource | StatefulSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2693 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2694 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2695 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2696 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2697 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py) | -| 2698 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | -| 2699 | CKV_K8S_37 | resource | CronJob | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2700 | CKV_K8S_37 | resource | DaemonSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2701 | CKV_K8S_37 | resource | Deployment | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2702 | CKV_K8S_37 | resource | DeploymentConfig | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2703 | CKV_K8S_37 | resource | Job | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2704 | CKV_K8S_37 | resource | Pod | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2705 | CKV_K8S_37 | resource | PodTemplate | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2706 | CKV_K8S_37 | resource | ReplicaSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2707 | CKV_K8S_37 | resource | ReplicationController | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2708 | CKV_K8S_37 | resource | StatefulSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2709 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2710 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2711 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2712 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2713 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2714 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2715 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2716 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2717 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2718 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2719 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2720 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2721 | CKV_K8S_39 | resource | CronJob | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2722 | CKV_K8S_39 | resource | DaemonSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2723 | CKV_K8S_39 | resource | Deployment | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2724 | CKV_K8S_39 | resource | DeploymentConfig | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2725 | CKV_K8S_39 | resource | Job | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2726 | CKV_K8S_39 | resource | Pod | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2727 | CKV_K8S_39 | resource | PodTemplate | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2728 | CKV_K8S_39 | resource | ReplicaSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2729 | CKV_K8S_39 | resource | ReplicationController | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2730 | CKV_K8S_39 | resource | StatefulSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2731 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2732 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2733 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2734 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2735 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2736 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2737 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2738 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2739 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2740 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2741 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2742 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2743 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccount.py) | -| 2744 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 2745 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 2746 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | -| 2747 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | -| 2748 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2749 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2750 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2751 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2752 | CKV_K8S_43 | resource | CronJob | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2753 | CKV_K8S_43 | resource | DaemonSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2754 | CKV_K8S_43 | resource | Deployment | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2755 | CKV_K8S_43 | resource | DeploymentConfig | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2756 | CKV_K8S_43 | resource | Job | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2757 | CKV_K8S_43 | resource | Pod | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2758 | CKV_K8S_43 | resource | PodTemplate | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2759 | CKV_K8S_43 | resource | ReplicaSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2760 | CKV_K8S_43 | resource | ReplicationController | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2761 | CKV_K8S_43 | resource | StatefulSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2762 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2763 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2764 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2765 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2766 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerService.py) | -| 2767 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 2768 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 2769 | CKV_K8S_45 | resource | CronJob | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2770 | CKV_K8S_45 | resource | DaemonSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2771 | CKV_K8S_45 | resource | Deployment | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2772 | CKV_K8S_45 | resource | DeploymentConfig | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2773 | CKV_K8S_45 | resource | Job | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2774 | CKV_K8S_45 | resource | Pod | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2775 | CKV_K8S_45 | resource | PodTemplate | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2776 | CKV_K8S_45 | resource | ReplicaSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2777 | CKV_K8S_45 | resource | ReplicationController | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2778 | CKV_K8S_45 | resource | StatefulSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2779 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | -| 2780 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | -| 2781 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2782 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2783 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2784 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2785 | CKV_K8S_68 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2786 | CKV_K8S_68 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2787 | CKV_K8S_68 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2788 | CKV_K8S_68 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2789 | CKV_K8S_68 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2790 | CKV_K8S_68 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2791 | CKV_K8S_68 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2792 | CKV_K8S_68 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2793 | CKV_K8S_68 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2794 | CKV_K8S_68 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2795 | CKV_K8S_69 | resource | CronJob | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2796 | CKV_K8S_69 | resource | DaemonSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2797 | CKV_K8S_69 | resource | Deployment | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2798 | CKV_K8S_69 | resource | DeploymentConfig | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2799 | CKV_K8S_69 | resource | Job | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2800 | CKV_K8S_69 | resource | Pod | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2801 | CKV_K8S_69 | resource | PodTemplate | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2802 | CKV_K8S_69 | resource | ReplicaSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2803 | CKV_K8S_69 | resource | ReplicationController | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2804 | CKV_K8S_69 | resource | StatefulSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2805 | CKV_K8S_70 | resource | CronJob | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2806 | CKV_K8S_70 | resource | DaemonSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2807 | CKV_K8S_70 | resource | Deployment | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2808 | CKV_K8S_70 | resource | DeploymentConfig | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2809 | CKV_K8S_70 | resource | Job | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2810 | CKV_K8S_70 | resource | Pod | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2811 | CKV_K8S_70 | resource | PodTemplate | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2812 | CKV_K8S_70 | resource | ReplicaSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2813 | CKV_K8S_70 | resource | ReplicationController | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2814 | CKV_K8S_70 | resource | StatefulSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2815 | CKV_K8S_71 | resource | CronJob | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2816 | CKV_K8S_71 | resource | DaemonSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2817 | CKV_K8S_71 | resource | Deployment | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2818 | CKV_K8S_71 | resource | DeploymentConfig | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2819 | CKV_K8S_71 | resource | Job | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2820 | CKV_K8S_71 | resource | Pod | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2821 | CKV_K8S_71 | resource | PodTemplate | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2822 | CKV_K8S_71 | resource | ReplicaSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2823 | CKV_K8S_71 | resource | ReplicationController | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2824 | CKV_K8S_71 | resource | StatefulSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2825 | CKV_K8S_72 | resource | CronJob | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2826 | CKV_K8S_72 | resource | DaemonSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2827 | CKV_K8S_72 | resource | Deployment | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2828 | CKV_K8S_72 | resource | DeploymentConfig | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2829 | CKV_K8S_72 | resource | Job | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2830 | CKV_K8S_72 | resource | Pod | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2831 | CKV_K8S_72 | resource | PodTemplate | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2832 | CKV_K8S_72 | resource | ReplicaSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2833 | CKV_K8S_72 | resource | ReplicationController | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2834 | CKV_K8S_72 | resource | StatefulSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2835 | CKV_K8S_73 | resource | CronJob | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2836 | CKV_K8S_73 | resource | DaemonSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2837 | CKV_K8S_73 | resource | Deployment | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2838 | CKV_K8S_73 | resource | DeploymentConfig | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2839 | CKV_K8S_73 | resource | Job | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2840 | CKV_K8S_73 | resource | Pod | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2841 | CKV_K8S_73 | resource | PodTemplate | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2842 | CKV_K8S_73 | resource | ReplicaSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2843 | CKV_K8S_73 | resource | ReplicationController | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2844 | CKV_K8S_73 | resource | StatefulSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2845 | CKV_K8S_74 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2846 | CKV_K8S_74 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2847 | CKV_K8S_74 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2848 | CKV_K8S_74 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2849 | CKV_K8S_74 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2850 | CKV_K8S_74 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2851 | CKV_K8S_74 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2852 | CKV_K8S_74 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2853 | CKV_K8S_74 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2854 | CKV_K8S_74 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2855 | CKV_K8S_75 | resource | CronJob | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2856 | CKV_K8S_75 | resource | DaemonSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2857 | CKV_K8S_75 | resource | Deployment | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2858 | CKV_K8S_75 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2859 | CKV_K8S_75 | resource | Job | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2860 | CKV_K8S_75 | resource | Pod | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2861 | CKV_K8S_75 | resource | PodTemplate | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2862 | CKV_K8S_75 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2863 | CKV_K8S_75 | resource | ReplicationController | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2864 | CKV_K8S_75 | resource | StatefulSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2865 | CKV_K8S_77 | resource | CronJob | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2866 | CKV_K8S_77 | resource | DaemonSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2867 | CKV_K8S_77 | resource | Deployment | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2868 | CKV_K8S_77 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2869 | CKV_K8S_77 | resource | Job | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2870 | CKV_K8S_77 | resource | Pod | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2871 | CKV_K8S_77 | resource | PodTemplate | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2872 | CKV_K8S_77 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2873 | CKV_K8S_77 | resource | ReplicationController | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2874 | CKV_K8S_77 | resource | StatefulSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2875 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | [ApiServerAdmissionControlEventRateLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlEventRateLimit.py) | -| 2876 | CKV_K8S_79 | resource | CronJob | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2877 | CKV_K8S_79 | resource | DaemonSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2878 | CKV_K8S_79 | resource | Deployment | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2879 | CKV_K8S_79 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2880 | CKV_K8S_79 | resource | Job | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2881 | CKV_K8S_79 | resource | Pod | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2882 | CKV_K8S_79 | resource | PodTemplate | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2883 | CKV_K8S_79 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2884 | CKV_K8S_79 | resource | ReplicationController | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2885 | CKV_K8S_79 | resource | StatefulSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2886 | CKV_K8S_80 | resource | CronJob | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2887 | CKV_K8S_80 | resource | DaemonSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2888 | CKV_K8S_80 | resource | Deployment | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2889 | CKV_K8S_80 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2890 | CKV_K8S_80 | resource | Job | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2891 | CKV_K8S_80 | resource | Pod | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2892 | CKV_K8S_80 | resource | PodTemplate | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2893 | CKV_K8S_80 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2894 | CKV_K8S_80 | resource | ReplicationController | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2895 | CKV_K8S_80 | resource | StatefulSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2896 | CKV_K8S_81 | resource | CronJob | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2897 | CKV_K8S_81 | resource | DaemonSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2898 | CKV_K8S_81 | resource | Deployment | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2899 | CKV_K8S_81 | resource | DeploymentConfig | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2900 | CKV_K8S_81 | resource | Job | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2901 | CKV_K8S_81 | resource | Pod | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2902 | CKV_K8S_81 | resource | PodTemplate | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2903 | CKV_K8S_81 | resource | ReplicaSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2904 | CKV_K8S_81 | resource | ReplicationController | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2905 | CKV_K8S_81 | resource | StatefulSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2906 | CKV_K8S_82 | resource | CronJob | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2907 | CKV_K8S_82 | resource | DaemonSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2908 | CKV_K8S_82 | resource | Deployment | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2909 | CKV_K8S_82 | resource | DeploymentConfig | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2910 | CKV_K8S_82 | resource | Job | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2911 | CKV_K8S_82 | resource | Pod | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2912 | CKV_K8S_82 | resource | PodTemplate | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2913 | CKV_K8S_82 | resource | ReplicaSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2914 | CKV_K8S_82 | resource | ReplicationController | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2915 | CKV_K8S_82 | resource | StatefulSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2916 | CKV_K8S_83 | resource | CronJob | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2917 | CKV_K8S_83 | resource | DaemonSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2918 | CKV_K8S_83 | resource | Deployment | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2919 | CKV_K8S_83 | resource | DeploymentConfig | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2920 | CKV_K8S_83 | resource | Job | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2921 | CKV_K8S_83 | resource | Pod | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2922 | CKV_K8S_83 | resource | PodTemplate | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2923 | CKV_K8S_83 | resource | ReplicaSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2924 | CKV_K8S_83 | resource | ReplicationController | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2925 | CKV_K8S_83 | resource | StatefulSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2926 | CKV_K8S_84 | resource | CronJob | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2927 | CKV_K8S_84 | resource | DaemonSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2928 | CKV_K8S_84 | resource | Deployment | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2929 | CKV_K8S_84 | resource | DeploymentConfig | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2930 | CKV_K8S_84 | resource | Job | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2931 | CKV_K8S_84 | resource | Pod | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2932 | CKV_K8S_84 | resource | PodTemplate | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2933 | CKV_K8S_84 | resource | ReplicaSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2934 | CKV_K8S_84 | resource | ReplicationController | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2935 | CKV_K8S_84 | resource | StatefulSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2936 | CKV_K8S_85 | resource | CronJob | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2937 | CKV_K8S_85 | resource | DaemonSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2938 | CKV_K8S_85 | resource | Deployment | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2939 | CKV_K8S_85 | resource | DeploymentConfig | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2940 | CKV_K8S_85 | resource | Job | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2941 | CKV_K8S_85 | resource | Pod | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2942 | CKV_K8S_85 | resource | PodTemplate | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2943 | CKV_K8S_85 | resource | ReplicaSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2944 | CKV_K8S_85 | resource | ReplicationController | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2945 | CKV_K8S_85 | resource | StatefulSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2946 | CKV_K8S_86 | resource | CronJob | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2947 | CKV_K8S_86 | resource | DaemonSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2948 | CKV_K8S_86 | resource | Deployment | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2949 | CKV_K8S_86 | resource | DeploymentConfig | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2950 | CKV_K8S_86 | resource | Job | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2951 | CKV_K8S_86 | resource | Pod | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2952 | CKV_K8S_86 | resource | PodTemplate | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2953 | CKV_K8S_86 | resource | ReplicaSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2954 | CKV_K8S_86 | resource | ReplicationController | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2955 | CKV_K8S_86 | resource | StatefulSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2956 | CKV_K8S_88 | resource | CronJob | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2957 | CKV_K8S_88 | resource | DaemonSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2958 | CKV_K8S_88 | resource | Deployment | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2959 | CKV_K8S_88 | resource | DeploymentConfig | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2960 | CKV_K8S_88 | resource | Job | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2961 | CKV_K8S_88 | resource | Pod | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2962 | CKV_K8S_88 | resource | PodTemplate | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2963 | CKV_K8S_88 | resource | ReplicaSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2964 | CKV_K8S_88 | resource | ReplicationController | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2965 | CKV_K8S_88 | resource | StatefulSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 2966 | CKV_K8S_89 | resource | CronJob | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2967 | CKV_K8S_89 | resource | DaemonSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2968 | CKV_K8S_89 | resource | Deployment | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2969 | CKV_K8S_89 | resource | DeploymentConfig | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2970 | CKV_K8S_89 | resource | Job | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2971 | CKV_K8S_89 | resource | Pod | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2972 | CKV_K8S_89 | resource | PodTemplate | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2973 | CKV_K8S_89 | resource | ReplicaSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2974 | CKV_K8S_89 | resource | ReplicationController | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2975 | CKV_K8S_89 | resource | StatefulSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 2976 | CKV_K8S_90 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2977 | CKV_K8S_90 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2978 | CKV_K8S_90 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2979 | CKV_K8S_90 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2980 | CKV_K8S_90 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2981 | CKV_K8S_90 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2982 | CKV_K8S_90 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2983 | CKV_K8S_90 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2984 | CKV_K8S_90 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2985 | CKV_K8S_90 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 2986 | CKV_K8S_91 | resource | CronJob | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2987 | CKV_K8S_91 | resource | DaemonSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2988 | CKV_K8S_91 | resource | Deployment | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2989 | CKV_K8S_91 | resource | DeploymentConfig | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2990 | CKV_K8S_91 | resource | Job | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2991 | CKV_K8S_91 | resource | Pod | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2992 | CKV_K8S_91 | resource | PodTemplate | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2993 | CKV_K8S_91 | resource | ReplicaSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2994 | CKV_K8S_91 | resource | ReplicationController | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2995 | CKV_K8S_91 | resource | StatefulSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 2996 | CKV_K8S_92 | resource | CronJob | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 2997 | CKV_K8S_92 | resource | DaemonSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 2998 | CKV_K8S_92 | resource | Deployment | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 2999 | CKV_K8S_92 | resource | DeploymentConfig | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3000 | CKV_K8S_92 | resource | Job | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3001 | CKV_K8S_92 | resource | Pod | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3002 | CKV_K8S_92 | resource | PodTemplate | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3003 | CKV_K8S_92 | resource | ReplicaSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3004 | CKV_K8S_92 | resource | ReplicationController | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3005 | CKV_K8S_92 | resource | StatefulSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3006 | CKV_K8S_93 | resource | CronJob | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3007 | CKV_K8S_93 | resource | DaemonSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3008 | CKV_K8S_93 | resource | Deployment | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3009 | CKV_K8S_93 | resource | DeploymentConfig | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3010 | CKV_K8S_93 | resource | Job | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3011 | CKV_K8S_93 | resource | Pod | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3012 | CKV_K8S_93 | resource | PodTemplate | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3013 | CKV_K8S_93 | resource | ReplicaSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3014 | CKV_K8S_93 | resource | ReplicationController | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3015 | CKV_K8S_93 | resource | StatefulSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3016 | CKV_K8S_94 | resource | CronJob | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3017 | CKV_K8S_94 | resource | DaemonSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3018 | CKV_K8S_94 | resource | Deployment | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3019 | CKV_K8S_94 | resource | DeploymentConfig | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3020 | CKV_K8S_94 | resource | Job | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3021 | CKV_K8S_94 | resource | Pod | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3022 | CKV_K8S_94 | resource | PodTemplate | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3023 | CKV_K8S_94 | resource | ReplicaSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3024 | CKV_K8S_94 | resource | ReplicationController | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3025 | CKV_K8S_94 | resource | StatefulSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3026 | CKV_K8S_95 | resource | CronJob | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3027 | CKV_K8S_95 | resource | DaemonSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3028 | CKV_K8S_95 | resource | Deployment | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3029 | CKV_K8S_95 | resource | DeploymentConfig | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3030 | CKV_K8S_95 | resource | Job | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3031 | CKV_K8S_95 | resource | Pod | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3032 | CKV_K8S_95 | resource | PodTemplate | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3033 | CKV_K8S_95 | resource | ReplicaSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3034 | CKV_K8S_95 | resource | ReplicationController | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3035 | CKV_K8S_95 | resource | StatefulSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3036 | CKV_K8S_96 | resource | CronJob | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3037 | CKV_K8S_96 | resource | DaemonSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3038 | CKV_K8S_96 | resource | Deployment | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3039 | CKV_K8S_96 | resource | DeploymentConfig | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3040 | CKV_K8S_96 | resource | Job | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3041 | CKV_K8S_96 | resource | Pod | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3042 | CKV_K8S_96 | resource | PodTemplate | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3043 | CKV_K8S_96 | resource | ReplicaSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3044 | CKV_K8S_96 | resource | ReplicationController | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3045 | CKV_K8S_96 | resource | StatefulSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3046 | CKV_K8S_97 | resource | CronJob | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3047 | CKV_K8S_97 | resource | DaemonSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3048 | CKV_K8S_97 | resource | Deployment | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3049 | CKV_K8S_97 | resource | DeploymentConfig | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3050 | CKV_K8S_97 | resource | Job | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3051 | CKV_K8S_97 | resource | Pod | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3052 | CKV_K8S_97 | resource | PodTemplate | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3053 | CKV_K8S_97 | resource | ReplicaSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3054 | CKV_K8S_97 | resource | ReplicationController | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3055 | CKV_K8S_97 | resource | StatefulSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3056 | CKV_K8S_99 | resource | CronJob | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3057 | CKV_K8S_99 | resource | DaemonSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3058 | CKV_K8S_99 | resource | Deployment | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3059 | CKV_K8S_99 | resource | DeploymentConfig | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3060 | CKV_K8S_99 | resource | Job | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3061 | CKV_K8S_99 | resource | Pod | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3062 | CKV_K8S_99 | resource | PodTemplate | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3063 | CKV_K8S_99 | resource | ReplicaSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3064 | CKV_K8S_99 | resource | ReplicationController | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3065 | CKV_K8S_99 | resource | StatefulSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3066 | CKV_K8S_100 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3067 | CKV_K8S_100 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3068 | CKV_K8S_100 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3069 | CKV_K8S_100 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3070 | CKV_K8S_100 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3071 | CKV_K8S_100 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3072 | CKV_K8S_100 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3073 | CKV_K8S_100 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3074 | CKV_K8S_100 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3075 | CKV_K8S_100 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3076 | CKV_K8S_102 | resource | CronJob | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3077 | CKV_K8S_102 | resource | DaemonSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3078 | CKV_K8S_102 | resource | Deployment | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3079 | CKV_K8S_102 | resource | DeploymentConfig | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3080 | CKV_K8S_102 | resource | Job | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3081 | CKV_K8S_102 | resource | Pod | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3082 | CKV_K8S_102 | resource | PodTemplate | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3083 | CKV_K8S_102 | resource | ReplicaSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3084 | CKV_K8S_102 | resource | ReplicationController | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3085 | CKV_K8S_102 | resource | StatefulSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3086 | CKV_K8S_104 | resource | CronJob | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3087 | CKV_K8S_104 | resource | DaemonSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3088 | CKV_K8S_104 | resource | Deployment | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3089 | CKV_K8S_104 | resource | DeploymentConfig | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3090 | CKV_K8S_104 | resource | Job | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3091 | CKV_K8S_104 | resource | Pod | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3092 | CKV_K8S_104 | resource | PodTemplate | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3093 | CKV_K8S_104 | resource | ReplicaSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3094 | CKV_K8S_104 | resource | ReplicationController | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3095 | CKV_K8S_104 | resource | StatefulSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3096 | CKV_K8S_105 | resource | CronJob | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3097 | CKV_K8S_105 | resource | DaemonSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3098 | CKV_K8S_105 | resource | Deployment | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3099 | CKV_K8S_105 | resource | DeploymentConfig | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3100 | CKV_K8S_105 | resource | Job | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3101 | CKV_K8S_105 | resource | Pod | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3102 | CKV_K8S_105 | resource | PodTemplate | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3103 | CKV_K8S_105 | resource | ReplicaSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3104 | CKV_K8S_105 | resource | ReplicationController | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3105 | CKV_K8S_105 | resource | StatefulSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3106 | CKV_K8S_106 | resource | CronJob | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3107 | CKV_K8S_106 | resource | DaemonSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3108 | CKV_K8S_106 | resource | Deployment | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3109 | CKV_K8S_106 | resource | DeploymentConfig | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3110 | CKV_K8S_106 | resource | Job | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3111 | CKV_K8S_106 | resource | Pod | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3112 | CKV_K8S_106 | resource | PodTemplate | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3113 | CKV_K8S_106 | resource | ReplicaSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3114 | CKV_K8S_106 | resource | ReplicationController | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3115 | CKV_K8S_106 | resource | StatefulSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3116 | CKV_K8S_107 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3117 | CKV_K8S_107 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3118 | CKV_K8S_107 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3119 | CKV_K8S_107 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3120 | CKV_K8S_107 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3121 | CKV_K8S_107 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3122 | CKV_K8S_107 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3123 | CKV_K8S_107 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3124 | CKV_K8S_107 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3125 | CKV_K8S_107 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3126 | CKV_K8S_108 | resource | CronJob | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3127 | CKV_K8S_108 | resource | DaemonSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3128 | CKV_K8S_108 | resource | Deployment | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3129 | CKV_K8S_108 | resource | DeploymentConfig | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3130 | CKV_K8S_108 | resource | Job | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3131 | CKV_K8S_108 | resource | Pod | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3132 | CKV_K8S_108 | resource | PodTemplate | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3133 | CKV_K8S_108 | resource | ReplicaSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3134 | CKV_K8S_108 | resource | ReplicationController | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3135 | CKV_K8S_108 | resource | StatefulSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3136 | CKV_K8S_110 | resource | CronJob | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3137 | CKV_K8S_110 | resource | DaemonSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3138 | CKV_K8S_110 | resource | Deployment | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3139 | CKV_K8S_110 | resource | DeploymentConfig | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3140 | CKV_K8S_110 | resource | Job | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3141 | CKV_K8S_110 | resource | Pod | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3142 | CKV_K8S_110 | resource | PodTemplate | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3143 | CKV_K8S_110 | resource | ReplicaSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3144 | CKV_K8S_110 | resource | ReplicationController | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3145 | CKV_K8S_110 | resource | StatefulSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3146 | CKV_K8S_111 | resource | CronJob | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3147 | CKV_K8S_111 | resource | DaemonSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3148 | CKV_K8S_111 | resource | Deployment | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3149 | CKV_K8S_111 | resource | DeploymentConfig | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3150 | CKV_K8S_111 | resource | Job | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3151 | CKV_K8S_111 | resource | Pod | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3152 | CKV_K8S_111 | resource | PodTemplate | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3153 | CKV_K8S_111 | resource | ReplicaSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3154 | CKV_K8S_111 | resource | ReplicationController | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3155 | CKV_K8S_111 | resource | StatefulSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3156 | CKV_K8S_112 | resource | CronJob | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3157 | CKV_K8S_112 | resource | DaemonSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3158 | CKV_K8S_112 | resource | Deployment | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3159 | CKV_K8S_112 | resource | DeploymentConfig | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3160 | CKV_K8S_112 | resource | Job | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3161 | CKV_K8S_112 | resource | Pod | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3162 | CKV_K8S_112 | resource | PodTemplate | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3163 | CKV_K8S_112 | resource | ReplicaSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3164 | CKV_K8S_112 | resource | ReplicationController | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3165 | CKV_K8S_112 | resource | StatefulSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3166 | CKV_K8S_113 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3167 | CKV_K8S_113 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3168 | CKV_K8S_113 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3169 | CKV_K8S_113 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3170 | CKV_K8S_113 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3171 | CKV_K8S_113 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3172 | CKV_K8S_113 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3173 | CKV_K8S_113 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3174 | CKV_K8S_113 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3175 | CKV_K8S_113 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3176 | CKV_K8S_114 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3177 | CKV_K8S_114 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3178 | CKV_K8S_114 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3179 | CKV_K8S_114 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3180 | CKV_K8S_114 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3181 | CKV_K8S_114 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3182 | CKV_K8S_114 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3183 | CKV_K8S_114 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3184 | CKV_K8S_114 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3185 | CKV_K8S_114 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3186 | CKV_K8S_115 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3187 | CKV_K8S_115 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3188 | CKV_K8S_115 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3189 | CKV_K8S_115 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3190 | CKV_K8S_115 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3191 | CKV_K8S_115 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3192 | CKV_K8S_115 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3193 | CKV_K8S_115 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3194 | CKV_K8S_115 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3195 | CKV_K8S_115 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3196 | CKV_K8S_116 | resource | CronJob | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3197 | CKV_K8S_116 | resource | DaemonSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3198 | CKV_K8S_116 | resource | Deployment | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3199 | CKV_K8S_116 | resource | DeploymentConfig | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3200 | CKV_K8S_116 | resource | Job | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3201 | CKV_K8S_116 | resource | Pod | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3202 | CKV_K8S_116 | resource | PodTemplate | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3203 | CKV_K8S_116 | resource | ReplicaSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3204 | CKV_K8S_116 | resource | ReplicationController | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3205 | CKV_K8S_116 | resource | StatefulSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3206 | CKV_K8S_117 | resource | CronJob | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3207 | CKV_K8S_117 | resource | DaemonSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3208 | CKV_K8S_117 | resource | Deployment | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3209 | CKV_K8S_117 | resource | DeploymentConfig | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3210 | CKV_K8S_117 | resource | Job | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3211 | CKV_K8S_117 | resource | Pod | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3212 | CKV_K8S_117 | resource | PodTemplate | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3213 | CKV_K8S_117 | resource | ReplicaSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3214 | CKV_K8S_117 | resource | ReplicationController | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3215 | CKV_K8S_117 | resource | StatefulSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3216 | CKV_K8S_118 | resource | CronJob | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3217 | CKV_K8S_118 | resource | DaemonSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3218 | CKV_K8S_118 | resource | Deployment | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3219 | CKV_K8S_118 | resource | DeploymentConfig | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3220 | CKV_K8S_118 | resource | Job | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3221 | CKV_K8S_118 | resource | Pod | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3222 | CKV_K8S_118 | resource | PodTemplate | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3223 | CKV_K8S_118 | resource | ReplicaSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3224 | CKV_K8S_118 | resource | ReplicationController | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3225 | CKV_K8S_118 | resource | StatefulSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3226 | CKV_K8S_119 | resource | CronJob | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3227 | CKV_K8S_119 | resource | DaemonSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3228 | CKV_K8S_119 | resource | Deployment | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3229 | CKV_K8S_119 | resource | DeploymentConfig | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3230 | CKV_K8S_119 | resource | Job | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3231 | CKV_K8S_119 | resource | Pod | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3232 | CKV_K8S_119 | resource | PodTemplate | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3233 | CKV_K8S_119 | resource | ReplicaSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3234 | CKV_K8S_119 | resource | ReplicationController | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3235 | CKV_K8S_119 | resource | StatefulSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3236 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | [PeerClientCertAuthTrue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py) | -| 3237 | CKV_K8S_138 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3238 | CKV_K8S_138 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3239 | CKV_K8S_138 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3240 | CKV_K8S_138 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3241 | CKV_K8S_138 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3242 | CKV_K8S_138 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3243 | CKV_K8S_138 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3244 | CKV_K8S_138 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3245 | CKV_K8S_138 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3246 | CKV_K8S_138 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3247 | CKV_K8S_139 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3248 | CKV_K8S_139 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3249 | CKV_K8S_139 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3250 | CKV_K8S_139 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3251 | CKV_K8S_139 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3252 | CKV_K8S_139 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3253 | CKV_K8S_139 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3254 | CKV_K8S_139 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3255 | CKV_K8S_139 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3256 | CKV_K8S_139 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3257 | CKV_K8S_140 | resource | CronJob | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3258 | CKV_K8S_140 | resource | DaemonSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3259 | CKV_K8S_140 | resource | Deployment | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3260 | CKV_K8S_140 | resource | DeploymentConfig | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3261 | CKV_K8S_140 | resource | Job | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3262 | CKV_K8S_140 | resource | Pod | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3263 | CKV_K8S_140 | resource | PodTemplate | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3264 | CKV_K8S_140 | resource | ReplicaSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3265 | CKV_K8S_140 | resource | ReplicationController | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3266 | CKV_K8S_140 | resource | StatefulSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3267 | CKV_K8S_141 | resource | CronJob | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3268 | CKV_K8S_141 | resource | DaemonSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3269 | CKV_K8S_141 | resource | Deployment | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3270 | CKV_K8S_141 | resource | DeploymentConfig | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3271 | CKV_K8S_141 | resource | Job | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3272 | CKV_K8S_141 | resource | Pod | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3273 | CKV_K8S_141 | resource | PodTemplate | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3274 | CKV_K8S_141 | resource | ReplicaSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3275 | CKV_K8S_141 | resource | ReplicationController | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3276 | CKV_K8S_141 | resource | StatefulSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3277 | CKV_K8S_143 | resource | CronJob | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3278 | CKV_K8S_143 | resource | DaemonSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3279 | CKV_K8S_143 | resource | Deployment | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3280 | CKV_K8S_143 | resource | DeploymentConfig | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3281 | CKV_K8S_143 | resource | Job | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3282 | CKV_K8S_143 | resource | Pod | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3283 | CKV_K8S_143 | resource | PodTemplate | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3284 | CKV_K8S_143 | resource | ReplicaSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3285 | CKV_K8S_143 | resource | ReplicationController | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3286 | CKV_K8S_143 | resource | StatefulSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3287 | CKV_K8S_144 | resource | CronJob | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3288 | CKV_K8S_144 | resource | DaemonSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3289 | CKV_K8S_144 | resource | Deployment | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3290 | CKV_K8S_144 | resource | DeploymentConfig | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3291 | CKV_K8S_144 | resource | Job | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3292 | CKV_K8S_144 | resource | Pod | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3293 | CKV_K8S_144 | resource | PodTemplate | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3294 | CKV_K8S_144 | resource | ReplicaSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3295 | CKV_K8S_144 | resource | ReplicationController | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3296 | CKV_K8S_144 | resource | StatefulSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3297 | CKV_K8S_145 | resource | CronJob | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3298 | CKV_K8S_145 | resource | DaemonSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3299 | CKV_K8S_145 | resource | Deployment | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3300 | CKV_K8S_145 | resource | DeploymentConfig | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3301 | CKV_K8S_145 | resource | Job | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3302 | CKV_K8S_145 | resource | Pod | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3303 | CKV_K8S_145 | resource | PodTemplate | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3304 | CKV_K8S_145 | resource | ReplicaSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3305 | CKV_K8S_145 | resource | ReplicationController | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3306 | CKV_K8S_145 | resource | StatefulSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3307 | CKV_K8S_146 | resource | CronJob | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3308 | CKV_K8S_146 | resource | DaemonSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3309 | CKV_K8S_146 | resource | Deployment | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3310 | CKV_K8S_146 | resource | DeploymentConfig | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3311 | CKV_K8S_146 | resource | Job | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3312 | CKV_K8S_146 | resource | Pod | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3313 | CKV_K8S_146 | resource | PodTemplate | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3314 | CKV_K8S_146 | resource | ReplicaSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3315 | CKV_K8S_146 | resource | ReplicationController | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3316 | CKV_K8S_146 | resource | StatefulSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3317 | CKV_K8S_147 | resource | CronJob | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3318 | CKV_K8S_147 | resource | DaemonSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3319 | CKV_K8S_147 | resource | Deployment | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3320 | CKV_K8S_147 | resource | DeploymentConfig | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3321 | CKV_K8S_147 | resource | Job | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3322 | CKV_K8S_147 | resource | Pod | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3323 | CKV_K8S_147 | resource | PodTemplate | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3324 | CKV_K8S_147 | resource | ReplicaSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3325 | CKV_K8S_147 | resource | ReplicationController | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3326 | CKV_K8S_147 | resource | StatefulSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3327 | CKV_K8S_148 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3328 | CKV_K8S_148 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3329 | CKV_K8S_148 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3330 | CKV_K8S_148 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3331 | CKV_K8S_148 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3332 | CKV_K8S_148 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3333 | CKV_K8S_148 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3334 | CKV_K8S_148 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3335 | CKV_K8S_148 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3336 | CKV_K8S_148 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3337 | CKV_K8S_149 | resource | CronJob | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3338 | CKV_K8S_149 | resource | DaemonSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3339 | CKV_K8S_149 | resource | Deployment | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3340 | CKV_K8S_149 | resource | DeploymentConfig | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3341 | CKV_K8S_149 | resource | Job | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3342 | CKV_K8S_149 | resource | Pod | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3343 | CKV_K8S_149 | resource | PodTemplate | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3344 | CKV_K8S_149 | resource | ReplicaSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3345 | CKV_K8S_149 | resource | ReplicationController | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3346 | CKV_K8S_149 | resource | StatefulSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3347 | CKV_K8S_151 | resource | CronJob | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3348 | CKV_K8S_151 | resource | DaemonSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3349 | CKV_K8S_151 | resource | Deployment | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3350 | CKV_K8S_151 | resource | DeploymentConfig | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3351 | CKV_K8S_151 | resource | Job | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3352 | CKV_K8S_151 | resource | Pod | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3353 | CKV_K8S_151 | resource | PodTemplate | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3354 | CKV_K8S_151 | resource | ReplicaSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3355 | CKV_K8S_151 | resource | ReplicationController | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3356 | CKV_K8S_151 | resource | StatefulSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3357 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Lua.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py) | -| 3358 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742AllSnippets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py) | -| 3359 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Alias.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py) | -| 3360 | CKV_K8S_155 | resource | ClusterRole | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | Kubernetes | [RbacControlWebhooks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py) | -| 3361 | CKV_K8S_156 | resource | ClusterRole | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | Kubernetes | [RbacApproveCertificateSigningRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py) | -| 3362 | CKV_K8S_157 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | -| 3363 | CKV_K8S_157 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | -| 3364 | CKV_K8S_158 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | -| 3365 | CKV_K8S_158 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | -| 3366 | CKV2_K8S_1 | resource | ClusterRole | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3367 | CKV2_K8S_1 | resource | ClusterRoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3368 | CKV2_K8S_1 | resource | Role | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3369 | CKV2_K8S_1 | resource | RoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3370 | CKV2_K8S_2 | resource | ClusterRole | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3371 | CKV2_K8S_2 | resource | ClusterRoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3372 | CKV2_K8S_2 | resource | Role | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3373 | CKV2_K8S_2 | resource | RoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3374 | CKV2_K8S_3 | resource | ClusterRole | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3375 | CKV2_K8S_3 | resource | ClusterRoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3376 | CKV2_K8S_3 | resource | Role | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3377 | CKV2_K8S_3 | resource | RoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3378 | CKV2_K8S_4 | resource | ClusterRole | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3379 | CKV2_K8S_4 | resource | ClusterRoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3380 | CKV2_K8S_4 | resource | Role | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3381 | CKV2_K8S_4 | resource | RoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3382 | CKV2_K8S_5 | resource | ClusterRole | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3383 | CKV2_K8S_5 | resource | ClusterRoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3384 | CKV2_K8S_5 | resource | Role | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3385 | CKV2_K8S_5 | resource | RoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3386 | CKV2_K8S_6 | resource | Deployment | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | -| 3387 | CKV2_K8S_6 | resource | Pod | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | -| 3388 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | -| 3389 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | -| 3390 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | -| 3391 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | -| 3392 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | -| 3393 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | -| 3394 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | -| 3395 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 3396 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 3397 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | -| 3398 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | -| 3399 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | -| 3400 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | -| 3401 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | -| 3402 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | -| 3403 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | -| 3404 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | -| 3405 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | -| 3406 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | -| 3407 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | -| 3408 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | -| 3409 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | -| 3410 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | -| 3411 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 3412 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 3413 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | -| 3414 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | -| 3415 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | -| 3416 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 3417 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 3418 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | -| 3419 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | -| 3420 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | -| 3421 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | -| 3422 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | -| 3423 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | -| 3424 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | -| 3425 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | -| 3426 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | -| 3427 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | -| 3428 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | -| 3429 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | -| 3430 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | -| 3431 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | -| 3432 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | -| 3433 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | -| 3434 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | -| 3435 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | -| 3436 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | -| 3437 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | -| 3438 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | -| 3439 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | -| 3440 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | -| 3441 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | -| 3442 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | -| 3443 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | -| 3444 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3445 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3446 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3447 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | -| 3448 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | -| 3449 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | -| 3450 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | -| 3451 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | -| 3452 | CKV_OPENAPI_1 | resource | securityDefinitions | Ensure that securityDefinitions is defined and not empty - version 2.0 files | OpenAPI | [SecurityDefinitions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitions.py) | -| 3453 | CKV_OPENAPI_2 | resource | security | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files | OpenAPI | [Oauth2SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityRequirement.py) | -| 3454 | CKV_OPENAPI_3 | resource | components | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files | OpenAPI | [CleartextOverUnencryptedChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py) | -| 3455 | CKV_OPENAPI_4 | resource | security | Ensure that the global security field has rules defined | OpenAPI | [GlobalSecurityFieldIsEmpty.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/GlobalSecurityFieldIsEmpty.py) | -| 3456 | CKV_OPENAPI_5 | resource | security | Ensure that security operations is not empty. | OpenAPI | [SecurityOperations.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/SecurityOperations.py) | -| 3457 | CKV_OPENAPI_6 | resource | security | Ensure that security requirement defined in securityDefinitions - version 2.0 files | OpenAPI | [SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityRequirement.py) | -| 3458 | CKV_OPENAPI_7 | resource | security | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files | OpenAPI | [PathSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/PathSchemeDefineHTTP.py) | -| 3459 | CKV_OPENAPI_8 | resource | security | Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityPasswordFlow.py) | -| 3460 | CKV_OPENAPI_9 | resource | paths | Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files | OpenAPI | [OperationObjectSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py) | -| 3461 | CKV_OPENAPI_10 | resource | paths | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2OperationObjectPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2OperationObjectPasswordFlow.py) | -| 3462 | CKV_OPENAPI_11 | resource | securityDefinitions | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionPasswordFlow.py) | -| 3463 | CKV_OPENAPI_12 | resource | securityDefinitions | Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionImplicitFlow.py) | -| 3464 | CKV_OPENAPI_13 | resource | securityDefinitions | Ensure security definitions do not use basic auth - version 2.0 files | OpenAPI | [SecurityDefinitionBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitionBasicAuth.py) | -| 3465 | CKV_OPENAPI_14 | resource | paths | Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files | OpenAPI | [OperationObjectImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectImplicitFlow.py) | -| 3466 | CKV_OPENAPI_15 | resource | paths | Ensure that operation objects do not use basic auth - version 2.0 files | OpenAPI | [OperationObjectBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectBasicAuth.py) | -| 3467 | CKV_OPENAPI_16 | resource | paths | Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files | OpenAPI | [OperationObjectProducesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectProducesUndefined.py) | -| 3468 | CKV_OPENAPI_17 | resource | paths | Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files | OpenAPI | [OperationObjectConsumesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectConsumesUndefined.py) | -| 3469 | CKV_OPENAPI_18 | resource | schemes | Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files | OpenAPI | [GlobalSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSchemeDefineHTTP.py) | -| 3470 | CKV_OPENAPI_19 | resource | security | Ensure that global security scope is defined in securityDefinitions - version 2.0 files | OpenAPI | [GlobalSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSecurityScopeUndefined.py) | -| 3471 | CKV_OPENAPI_20 | resource | paths | Ensure that API keys are not sent over cleartext | OpenAPI | [ClearTextAPIKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py) | -| 3472 | CKV_OPENAPI_21 | resource | paths | Ensure that arrays have a maximum number of items | OpenAPI | [NoMaximumNumberItems.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/NoMaximumNumberItems.py) | -| 3473 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | -| 3474 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 3475 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 3476 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 3477 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 3478 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | -| 3479 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | -| 3480 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | -| 3481 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | -| 3482 | CKV_PAN_2 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoHTTP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml) | -| 3483 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | -| 3484 | CKV_PAN_3 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoTelnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml) | -| 3485 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 3486 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 3487 | CKV_PAN_4 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure DSRI is not enabled within security policies | Ansible | [PanosPolicyNoDSRI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml) | -| 3488 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 3489 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 3490 | CKV_PAN_5 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'application' set to 'any' | Ansible | [PanosPolicyNoApplicationAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml) | -| 3491 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 3492 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 3493 | CKV_PAN_6 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'service' set to 'any' | Ansible | [PanosPolicyNoServiceAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml) | -| 3494 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 3495 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 3496 | CKV_PAN_7 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any' | Ansible | [PanosPolicyNoSrcAnyDstAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml) | -| 3497 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 3498 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 3499 | CKV_PAN_8 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure description is populated within security policies | Ansible | [PanosPolicyDescription.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml) | -| 3500 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 3501 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 3502 | CKV_PAN_9 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure a Log Forwarding Profile is selected for each security policy rule | Ansible | [PanosPolicyLogForwarding.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml) | -| 3503 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 3504 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 3505 | CKV_PAN_10 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure logging at session end is enabled within security policies | Ansible | [PanosPolicyLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml) | -| 3506 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 3507 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 3508 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 3509 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 3510 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 3511 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 3512 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3513 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3514 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3515 | CKV_PAN_14 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Ansible | [PanosZoneProtectionProfile.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml) | -| 3516 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 3517 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 3518 | CKV_PAN_15 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Ansible | [PanosZoneUserIDIncludeACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml) | -| 3519 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3520 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3521 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3522 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3523 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3524 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3525 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3526 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3527 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3528 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3529 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3530 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3531 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3532 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3533 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3534 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3535 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3536 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3537 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | -| 3538 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3539 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3540 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3541 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3542 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3543 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3544 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3545 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3546 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3547 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | -| 3548 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | -| 3549 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | -| 3550 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | -| 3551 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | -| 3552 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | -| 3553 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | -| 3554 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | -| 3555 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | -| 3556 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | -| 3557 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3558 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3559 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3560 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3561 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3562 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3563 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3564 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3565 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 3566 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 3567 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | -| 3568 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | -| 3569 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | -| 3570 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | -| 3571 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | -| 3572 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | -| 3573 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | -| 3574 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 3575 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 3576 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | -| 3577 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 3578 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 3579 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3580 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3581 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3582 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3583 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3584 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 812 | CKV_AWS_359 | resource | aws_neptune_cluster | Neptune DB clusters should have IAM database authentication enabled | Terraform | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py) | +| 813 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | +| 814 | CKV_AWS_360 | resource | aws_docdb_cluster | Ensure DocDB has an adequate backup retention period | Terraform | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py) | +| 815 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 816 | CKV_AWS_361 | resource | aws_neptune_cluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Terraform | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 817 | CKV_AWS_362 | resource | aws_neptune_cluster | Neptune DB clusters should be configured to copy tags to snapshots | Terraform | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py) | +| 818 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 819 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 820 | CKV_AWS_363 | resource | aws_lambda_function | Ensure Lambda Runtime is not deprecated | Terraform | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 821 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | +| 822 | CKV_AWS_364 | resource | aws_lambda_permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Terraform | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py) | +| 823 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | +| 824 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | +| 825 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | +| 826 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | +| 827 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | +| 828 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | +| 829 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | +| 830 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | +| 831 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml) | +| 832 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | +| 833 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | +| 834 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | +| 835 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | +| 836 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml) | +| 837 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml) | +| 838 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml) | +| 839 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml) | +| 840 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | +| 841 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | +| 842 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | +| 843 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | +| 844 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 845 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 846 | CKV2_AWS_15 | resource | aws_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 847 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | +| 848 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | +| 849 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml) | +| 850 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | +| 851 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | +| 852 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 853 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 854 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 855 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 856 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml) | +| 857 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml) | +| 858 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml) | +| 859 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | +| 860 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | +| 861 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | +| 862 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | +| 863 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | +| 864 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | +| 865 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | +| 866 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | +| 867 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml) | +| 868 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a response headers policy attached | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml) | +| 869 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | +| 870 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml) | +| 871 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml) | +| 872 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | +| 873 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | +| 874 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | +| 875 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | +| 876 | CKV2_AWS_37 | resource | aws | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 877 | CKV2_AWS_37 | resource | aws_accessanalyzer_analyzer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 878 | CKV2_AWS_37 | resource | aws_acm_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 879 | CKV2_AWS_37 | resource | aws_acm_certificate_validation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 880 | CKV2_AWS_37 | resource | aws_acmpca_certificate_authority | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 881 | CKV2_AWS_37 | resource | aws_ami | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 882 | CKV2_AWS_37 | resource | aws_ami_copy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 883 | CKV2_AWS_37 | resource | aws_ami_from_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 884 | CKV2_AWS_37 | resource | aws_ami_launch_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 885 | CKV2_AWS_37 | resource | aws_api_gateway_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 886 | CKV2_AWS_37 | resource | aws_api_gateway_api_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 887 | CKV2_AWS_37 | resource | aws_api_gateway_authorizer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 888 | CKV2_AWS_37 | resource | aws_api_gateway_base_path_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 889 | CKV2_AWS_37 | resource | aws_api_gateway_client_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 890 | CKV2_AWS_37 | resource | aws_api_gateway_deployment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 891 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_part | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 892 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 893 | CKV2_AWS_37 | resource | aws_api_gateway_domain_name | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 894 | CKV2_AWS_37 | resource | aws_api_gateway_gateway_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 895 | CKV2_AWS_37 | resource | aws_api_gateway_integration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 896 | CKV2_AWS_37 | resource | aws_api_gateway_integration_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 897 | CKV2_AWS_37 | resource | aws_api_gateway_method | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 898 | CKV2_AWS_37 | resource | aws_api_gateway_method_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 899 | CKV2_AWS_37 | resource | aws_api_gateway_method_settings | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 900 | CKV2_AWS_37 | resource | aws_api_gateway_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 901 | CKV2_AWS_37 | resource | aws_api_gateway_request_validator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 902 | CKV2_AWS_37 | resource | aws_api_gateway_resource | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 903 | CKV2_AWS_37 | resource | aws_api_gateway_rest_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 904 | CKV2_AWS_37 | resource | aws_api_gateway_stage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 905 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 906 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 907 | CKV2_AWS_37 | resource | aws_api_gateway_vpc_link | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 908 | CKV2_AWS_37 | resource | aws_apigatewayv2_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 909 | CKV2_AWS_37 | resource | aws_apigatewayv2_api_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 910 | CKV2_AWS_37 | resource | aws_apigatewayv2_authorizer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 911 | CKV2_AWS_37 | resource | aws_apigatewayv2_deployment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 912 | CKV2_AWS_37 | resource | aws_apigatewayv2_domain_name | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 913 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 914 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 915 | CKV2_AWS_37 | resource | aws_apigatewayv2_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 916 | CKV2_AWS_37 | resource | aws_apigatewayv2_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 917 | CKV2_AWS_37 | resource | aws_apigatewayv2_route_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 918 | CKV2_AWS_37 | resource | aws_apigatewayv2_stage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 919 | CKV2_AWS_37 | resource | aws_apigatewayv2_vpc_link | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 920 | CKV2_AWS_37 | resource | aws_app_cookie_stickiness_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 921 | CKV2_AWS_37 | resource | aws_appautoscaling_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 922 | CKV2_AWS_37 | resource | aws_appautoscaling_scheduled_action | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 923 | CKV2_AWS_37 | resource | aws_appautoscaling_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 924 | CKV2_AWS_37 | resource | aws_appmesh_mesh | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 925 | CKV2_AWS_37 | resource | aws_appmesh_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 926 | CKV2_AWS_37 | resource | aws_appmesh_virtual_node | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 927 | CKV2_AWS_37 | resource | aws_appmesh_virtual_router | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 928 | CKV2_AWS_37 | resource | aws_appmesh_virtual_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 929 | CKV2_AWS_37 | resource | aws_appsync_api_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 930 | CKV2_AWS_37 | resource | aws_appsync_datasource | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 931 | CKV2_AWS_37 | resource | aws_appsync_function | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 932 | CKV2_AWS_37 | resource | aws_appsync_graphql_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 933 | CKV2_AWS_37 | resource | aws_appsync_resolver | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 934 | CKV2_AWS_37 | resource | aws_athena_database | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 935 | CKV2_AWS_37 | resource | aws_athena_named_query | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 936 | CKV2_AWS_37 | resource | aws_athena_workgroup | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 937 | CKV2_AWS_37 | resource | aws_autoscaling_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 938 | CKV2_AWS_37 | resource | aws_autoscaling_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 939 | CKV2_AWS_37 | resource | aws_autoscaling_lifecycle_hook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 940 | CKV2_AWS_37 | resource | aws_autoscaling_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 941 | CKV2_AWS_37 | resource | aws_autoscaling_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 942 | CKV2_AWS_37 | resource | aws_autoscaling_schedule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 943 | CKV2_AWS_37 | resource | aws_backup_plan | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 944 | CKV2_AWS_37 | resource | aws_backup_selection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 945 | CKV2_AWS_37 | resource | aws_backup_vault | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 946 | CKV2_AWS_37 | resource | aws_batch_compute_environment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 947 | CKV2_AWS_37 | resource | aws_batch_job_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 948 | CKV2_AWS_37 | resource | aws_batch_job_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 949 | CKV2_AWS_37 | resource | aws_budgets_budget | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 950 | CKV2_AWS_37 | resource | aws_cloud9_environment_ec2 | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 951 | CKV2_AWS_37 | resource | aws_cloudformation_stack | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 952 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 953 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 954 | CKV2_AWS_37 | resource | aws_cloudfront_distribution | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 955 | CKV2_AWS_37 | resource | aws_cloudfront_origin_access_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 956 | CKV2_AWS_37 | resource | aws_cloudfront_public_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 957 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 958 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_hsm | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 959 | CKV2_AWS_37 | resource | aws_cloudtrail | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 960 | CKV2_AWS_37 | resource | aws_cloudwatch_dashboard | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 961 | CKV2_AWS_37 | resource | aws_cloudwatch_event_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 962 | CKV2_AWS_37 | resource | aws_cloudwatch_event_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 963 | CKV2_AWS_37 | resource | aws_cloudwatch_event_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 964 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 965 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 966 | CKV2_AWS_37 | resource | aws_cloudwatch_log_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 967 | CKV2_AWS_37 | resource | aws_cloudwatch_log_metric_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 968 | CKV2_AWS_37 | resource | aws_cloudwatch_log_resource_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 969 | CKV2_AWS_37 | resource | aws_cloudwatch_log_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 970 | CKV2_AWS_37 | resource | aws_cloudwatch_log_subscription_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 971 | CKV2_AWS_37 | resource | aws_cloudwatch_metric_alarm | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 972 | CKV2_AWS_37 | resource | aws_codebuild_project | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 973 | CKV2_AWS_37 | resource | aws_codebuild_source_credential | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 974 | CKV2_AWS_37 | resource | aws_codebuild_webhook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 975 | CKV2_AWS_37 | resource | aws_codecommit_repository | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 976 | CKV2_AWS_37 | resource | aws_codecommit_trigger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 977 | CKV2_AWS_37 | resource | aws_codedeploy_app | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 978 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 979 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 980 | CKV2_AWS_37 | resource | aws_codepipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 981 | CKV2_AWS_37 | resource | aws_codepipeline_webhook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 982 | CKV2_AWS_37 | resource | aws_codestarnotifications_notification_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 983 | CKV2_AWS_37 | resource | aws_cognito_identity_pool | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 984 | CKV2_AWS_37 | resource | aws_cognito_identity_pool_roles_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 985 | CKV2_AWS_37 | resource | aws_cognito_identity_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 986 | CKV2_AWS_37 | resource | aws_cognito_resource_server | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 987 | CKV2_AWS_37 | resource | aws_cognito_user_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 988 | CKV2_AWS_37 | resource | aws_cognito_user_pool | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 989 | CKV2_AWS_37 | resource | aws_cognito_user_pool_client | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 990 | CKV2_AWS_37 | resource | aws_cognito_user_pool_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 991 | CKV2_AWS_37 | resource | aws_config_aggregate_authorization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 992 | CKV2_AWS_37 | resource | aws_config_config_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 993 | CKV2_AWS_37 | resource | aws_config_configuration_aggregator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 994 | CKV2_AWS_37 | resource | aws_config_configuration_recorder | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 995 | CKV2_AWS_37 | resource | aws_config_configuration_recorder_status | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 996 | CKV2_AWS_37 | resource | aws_config_delivery_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 997 | CKV2_AWS_37 | resource | aws_config_organization_custom_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 998 | CKV2_AWS_37 | resource | aws_config_organization_managed_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 999 | CKV2_AWS_37 | resource | aws_cur_report_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1000 | CKV2_AWS_37 | resource | aws_customer_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1001 | CKV2_AWS_37 | resource | aws_datapipeline_pipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1002 | CKV2_AWS_37 | resource | aws_datasync_agent | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1003 | CKV2_AWS_37 | resource | aws_datasync_location_efs | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1004 | CKV2_AWS_37 | resource | aws_datasync_location_nfs | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1005 | CKV2_AWS_37 | resource | aws_datasync_location_s3 | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1006 | CKV2_AWS_37 | resource | aws_datasync_location_smb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1007 | CKV2_AWS_37 | resource | aws_datasync_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1008 | CKV2_AWS_37 | resource | aws_dax_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1009 | CKV2_AWS_37 | resource | aws_dax_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1010 | CKV2_AWS_37 | resource | aws_dax_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1011 | CKV2_AWS_37 | resource | aws_db_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1012 | CKV2_AWS_37 | resource | aws_db_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1013 | CKV2_AWS_37 | resource | aws_db_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1014 | CKV2_AWS_37 | resource | aws_db_instance_role_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1015 | CKV2_AWS_37 | resource | aws_db_option_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1016 | CKV2_AWS_37 | resource | aws_db_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1017 | CKV2_AWS_37 | resource | aws_db_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1018 | CKV2_AWS_37 | resource | aws_db_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1019 | CKV2_AWS_37 | resource | aws_db_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1020 | CKV2_AWS_37 | resource | aws_default_network_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1021 | CKV2_AWS_37 | resource | aws_default_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1022 | CKV2_AWS_37 | resource | aws_default_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1023 | CKV2_AWS_37 | resource | aws_default_subnet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1024 | CKV2_AWS_37 | resource | aws_default_vpc | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1025 | CKV2_AWS_37 | resource | aws_default_vpc_dhcp_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1026 | CKV2_AWS_37 | resource | aws_devicefarm_project | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1027 | CKV2_AWS_37 | resource | aws_directory_service_conditional_forwarder | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1028 | CKV2_AWS_37 | resource | aws_directory_service_directory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1029 | CKV2_AWS_37 | resource | aws_directory_service_log_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1030 | CKV2_AWS_37 | resource | aws_dlm_lifecycle_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1031 | CKV2_AWS_37 | resource | aws_dms_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1032 | CKV2_AWS_37 | resource | aws_dms_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1033 | CKV2_AWS_37 | resource | aws_dms_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1034 | CKV2_AWS_37 | resource | aws_dms_replication_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1035 | CKV2_AWS_37 | resource | aws_dms_replication_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1036 | CKV2_AWS_37 | resource | aws_dms_replication_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1037 | CKV2_AWS_37 | resource | aws_docdb_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1038 | CKV2_AWS_37 | resource | aws_docdb_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1039 | CKV2_AWS_37 | resource | aws_docdb_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1040 | CKV2_AWS_37 | resource | aws_docdb_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1041 | CKV2_AWS_37 | resource | aws_docdb_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1042 | CKV2_AWS_37 | resource | aws_dx_bgp_peer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1043 | CKV2_AWS_37 | resource | aws_dx_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1044 | CKV2_AWS_37 | resource | aws_dx_connection_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1045 | CKV2_AWS_37 | resource | aws_dx_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1046 | CKV2_AWS_37 | resource | aws_dx_gateway_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1047 | CKV2_AWS_37 | resource | aws_dx_gateway_association_proposal | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1048 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1049 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1050 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1051 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1052 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1053 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1054 | CKV2_AWS_37 | resource | aws_dx_lag | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1055 | CKV2_AWS_37 | resource | aws_dx_private_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1056 | CKV2_AWS_37 | resource | aws_dx_public_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1057 | CKV2_AWS_37 | resource | aws_dx_transit_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1058 | CKV2_AWS_37 | resource | aws_dynamodb_global_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1059 | CKV2_AWS_37 | resource | aws_dynamodb_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1060 | CKV2_AWS_37 | resource | aws_dynamodb_table_item | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1061 | CKV2_AWS_37 | resource | aws_ebs_default_kms_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1062 | CKV2_AWS_37 | resource | aws_ebs_encryption_by_default | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1063 | CKV2_AWS_37 | resource | aws_ebs_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1064 | CKV2_AWS_37 | resource | aws_ebs_snapshot_copy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1065 | CKV2_AWS_37 | resource | aws_ebs_volume | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1066 | CKV2_AWS_37 | resource | aws_ec2_availability_zone_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1067 | CKV2_AWS_37 | resource | aws_ec2_capacity_reservation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1068 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_authorization_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1069 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1070 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_network_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1071 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1072 | CKV2_AWS_37 | resource | aws_ec2_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1073 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1074 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route_table_vpc_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1075 | CKV2_AWS_37 | resource | aws_ec2_tag | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1076 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1077 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1078 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_session | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1079 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1080 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1081 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1082 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1083 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1084 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1085 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1086 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_propagation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1087 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1088 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1089 | CKV2_AWS_37 | resource | aws_ecr_lifecycle_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1090 | CKV2_AWS_37 | resource | aws_ecr_repository | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1091 | CKV2_AWS_37 | resource | aws_ecr_repository_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1092 | CKV2_AWS_37 | resource | aws_ecs_capacity_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1093 | CKV2_AWS_37 | resource | aws_ecs_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1094 | CKV2_AWS_37 | resource | aws_ecs_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1095 | CKV2_AWS_37 | resource | aws_ecs_task_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1096 | CKV2_AWS_37 | resource | aws_efs_access_point | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1097 | CKV2_AWS_37 | resource | aws_efs_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1098 | CKV2_AWS_37 | resource | aws_efs_file_system_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1099 | CKV2_AWS_37 | resource | aws_efs_mount_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1100 | CKV2_AWS_37 | resource | aws_egress_only_internet_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1101 | CKV2_AWS_37 | resource | aws_eip | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1102 | CKV2_AWS_37 | resource | aws_eip_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1103 | CKV2_AWS_37 | resource | aws_eks_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1104 | CKV2_AWS_37 | resource | aws_eks_fargate_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1105 | CKV2_AWS_37 | resource | aws_eks_node_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1106 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1107 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1108 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_configuration_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1109 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_environment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1110 | CKV2_AWS_37 | resource | aws_elasticache_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1111 | CKV2_AWS_37 | resource | aws_elasticache_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1112 | CKV2_AWS_37 | resource | aws_elasticache_replication_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1113 | CKV2_AWS_37 | resource | aws_elasticache_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1114 | CKV2_AWS_37 | resource | aws_elasticache_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1115 | CKV2_AWS_37 | resource | aws_elasticsearch_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1116 | CKV2_AWS_37 | resource | aws_elasticsearch_domain_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1117 | CKV2_AWS_37 | resource | aws_elastictranscoder_pipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1118 | CKV2_AWS_37 | resource | aws_elastictranscoder_preset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1119 | CKV2_AWS_37 | resource | aws_elb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1120 | CKV2_AWS_37 | resource | aws_elb_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1121 | CKV2_AWS_37 | resource | aws_emr_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1122 | CKV2_AWS_37 | resource | aws_emr_instance_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1123 | CKV2_AWS_37 | resource | aws_emr_security_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1124 | CKV2_AWS_37 | resource | aws_flow_log | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1125 | CKV2_AWS_37 | resource | aws_fms_admin_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1126 | CKV2_AWS_37 | resource | aws_fsx_lustre_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1127 | CKV2_AWS_37 | resource | aws_fsx_windows_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1128 | CKV2_AWS_37 | resource | aws_gamelift_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1129 | CKV2_AWS_37 | resource | aws_gamelift_build | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1130 | CKV2_AWS_37 | resource | aws_gamelift_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1131 | CKV2_AWS_37 | resource | aws_gamelift_game_session_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1132 | CKV2_AWS_37 | resource | aws_glacier_vault | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1133 | CKV2_AWS_37 | resource | aws_glacier_vault_lock | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1134 | CKV2_AWS_37 | resource | aws_globalaccelerator_accelerator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1135 | CKV2_AWS_37 | resource | aws_globalaccelerator_endpoint_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1136 | CKV2_AWS_37 | resource | aws_globalaccelerator_listener | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1137 | CKV2_AWS_37 | resource | aws_glue_catalog_database | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1138 | CKV2_AWS_37 | resource | aws_glue_catalog_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1139 | CKV2_AWS_37 | resource | aws_glue_classifier | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1140 | CKV2_AWS_37 | resource | aws_glue_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1141 | CKV2_AWS_37 | resource | aws_glue_crawler | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1142 | CKV2_AWS_37 | resource | aws_glue_job | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1143 | CKV2_AWS_37 | resource | aws_glue_security_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1144 | CKV2_AWS_37 | resource | aws_glue_trigger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1145 | CKV2_AWS_37 | resource | aws_glue_workflow | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1146 | CKV2_AWS_37 | resource | aws_guardduty_detector | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1147 | CKV2_AWS_37 | resource | aws_guardduty_invite_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1148 | CKV2_AWS_37 | resource | aws_guardduty_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1149 | CKV2_AWS_37 | resource | aws_guardduty_member | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1150 | CKV2_AWS_37 | resource | aws_guardduty_organization_admin_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1151 | CKV2_AWS_37 | resource | aws_guardduty_organization_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1152 | CKV2_AWS_37 | resource | aws_guardduty_threatintelset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1153 | CKV2_AWS_37 | resource | aws_iam_access_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1154 | CKV2_AWS_37 | resource | aws_iam_account_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1155 | CKV2_AWS_37 | resource | aws_iam_account_password_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1156 | CKV2_AWS_37 | resource | aws_iam_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1157 | CKV2_AWS_37 | resource | aws_iam_group_membership | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1158 | CKV2_AWS_37 | resource | aws_iam_group_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1159 | CKV2_AWS_37 | resource | aws_iam_group_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1160 | CKV2_AWS_37 | resource | aws_iam_instance_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1161 | CKV2_AWS_37 | resource | aws_iam_openid_connect_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1162 | CKV2_AWS_37 | resource | aws_iam_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1163 | CKV2_AWS_37 | resource | aws_iam_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1164 | CKV2_AWS_37 | resource | aws_iam_policy_document | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1165 | CKV2_AWS_37 | resource | aws_iam_role | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1166 | CKV2_AWS_37 | resource | aws_iam_role_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1167 | CKV2_AWS_37 | resource | aws_iam_role_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1168 | CKV2_AWS_37 | resource | aws_iam_saml_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1169 | CKV2_AWS_37 | resource | aws_iam_server_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1170 | CKV2_AWS_37 | resource | aws_iam_service_linked_role | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1171 | CKV2_AWS_37 | resource | aws_iam_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1172 | CKV2_AWS_37 | resource | aws_iam_user_group_membership | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1173 | CKV2_AWS_37 | resource | aws_iam_user_login_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1174 | CKV2_AWS_37 | resource | aws_iam_user_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1175 | CKV2_AWS_37 | resource | aws_iam_user_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1176 | CKV2_AWS_37 | resource | aws_iam_user_ssh_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1177 | CKV2_AWS_37 | resource | aws_inspector_assessment_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1178 | CKV2_AWS_37 | resource | aws_inspector_assessment_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1179 | CKV2_AWS_37 | resource | aws_inspector_resource_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1180 | CKV2_AWS_37 | resource | aws_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1181 | CKV2_AWS_37 | resource | aws_internet_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1182 | CKV2_AWS_37 | resource | aws_iot_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1183 | CKV2_AWS_37 | resource | aws_iot_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1184 | CKV2_AWS_37 | resource | aws_iot_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1185 | CKV2_AWS_37 | resource | aws_iot_role_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1186 | CKV2_AWS_37 | resource | aws_iot_thing | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1187 | CKV2_AWS_37 | resource | aws_iot_thing_principal_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1188 | CKV2_AWS_37 | resource | aws_iot_thing_type | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1189 | CKV2_AWS_37 | resource | aws_iot_topic_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1190 | CKV2_AWS_37 | resource | aws_key_pair | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1191 | CKV2_AWS_37 | resource | aws_kinesis_analytics_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1192 | CKV2_AWS_37 | resource | aws_kinesis_firehose_delivery_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1193 | CKV2_AWS_37 | resource | aws_kinesis_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1194 | CKV2_AWS_37 | resource | aws_kinesis_video_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1195 | CKV2_AWS_37 | resource | aws_kms_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1196 | CKV2_AWS_37 | resource | aws_kms_ciphertext | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1197 | CKV2_AWS_37 | resource | aws_kms_external_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1198 | CKV2_AWS_37 | resource | aws_kms_grant | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1199 | CKV2_AWS_37 | resource | aws_kms_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1200 | CKV2_AWS_37 | resource | aws_lambda_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1201 | CKV2_AWS_37 | resource | aws_lambda_event_source_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1202 | CKV2_AWS_37 | resource | aws_lambda_function | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1203 | CKV2_AWS_37 | resource | aws_lambda_function_event_invoke_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1204 | CKV2_AWS_37 | resource | aws_lambda_layer_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1205 | CKV2_AWS_37 | resource | aws_lambda_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1206 | CKV2_AWS_37 | resource | aws_lambda_provisioned_concurrency_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1207 | CKV2_AWS_37 | resource | aws_launch_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1208 | CKV2_AWS_37 | resource | aws_launch_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1209 | CKV2_AWS_37 | resource | aws_lb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1210 | CKV2_AWS_37 | resource | aws_lb_cookie_stickiness_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1211 | CKV2_AWS_37 | resource | aws_lb_listener | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1212 | CKV2_AWS_37 | resource | aws_lb_listener_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1213 | CKV2_AWS_37 | resource | aws_lb_listener_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1214 | CKV2_AWS_37 | resource | aws_lb_ssl_negotiation_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1215 | CKV2_AWS_37 | resource | aws_lb_target_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1216 | CKV2_AWS_37 | resource | aws_lb_target_group_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1217 | CKV2_AWS_37 | resource | aws_licensemanager_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1218 | CKV2_AWS_37 | resource | aws_licensemanager_license_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1219 | CKV2_AWS_37 | resource | aws_lightsail_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1220 | CKV2_AWS_37 | resource | aws_lightsail_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1221 | CKV2_AWS_37 | resource | aws_lightsail_key_pair | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1222 | CKV2_AWS_37 | resource | aws_lightsail_static_ip | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1223 | CKV2_AWS_37 | resource | aws_lightsail_static_ip_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1224 | CKV2_AWS_37 | resource | aws_load_balancer_backend_server_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1225 | CKV2_AWS_37 | resource | aws_load_balancer_listener_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1226 | CKV2_AWS_37 | resource | aws_load_balancer_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1227 | CKV2_AWS_37 | resource | aws_macie_member_account_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1228 | CKV2_AWS_37 | resource | aws_macie_s3_bucket_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1229 | CKV2_AWS_37 | resource | aws_main_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1230 | CKV2_AWS_37 | resource | aws_media_convert_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1231 | CKV2_AWS_37 | resource | aws_media_package_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1232 | CKV2_AWS_37 | resource | aws_media_store_container | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1233 | CKV2_AWS_37 | resource | aws_media_store_container_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1234 | CKV2_AWS_37 | resource | aws_mq_broker | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1235 | CKV2_AWS_37 | resource | aws_mq_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1236 | CKV2_AWS_37 | resource | aws_msk_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1237 | CKV2_AWS_37 | resource | aws_msk_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1238 | CKV2_AWS_37 | resource | aws_nat_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1239 | CKV2_AWS_37 | resource | aws_neptune_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1240 | CKV2_AWS_37 | resource | aws_neptune_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1241 | CKV2_AWS_37 | resource | aws_neptune_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1242 | CKV2_AWS_37 | resource | aws_neptune_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1243 | CKV2_AWS_37 | resource | aws_neptune_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1244 | CKV2_AWS_37 | resource | aws_neptune_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1245 | CKV2_AWS_37 | resource | aws_neptune_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1246 | CKV2_AWS_37 | resource | aws_network_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1247 | CKV2_AWS_37 | resource | aws_network_acl_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1248 | CKV2_AWS_37 | resource | aws_network_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1249 | CKV2_AWS_37 | resource | aws_network_interface_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1250 | CKV2_AWS_37 | resource | aws_network_interface_sg_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1251 | CKV2_AWS_37 | resource | aws_opsworks_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1252 | CKV2_AWS_37 | resource | aws_opsworks_custom_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1253 | CKV2_AWS_37 | resource | aws_opsworks_ganglia_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1254 | CKV2_AWS_37 | resource | aws_opsworks_haproxy_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1255 | CKV2_AWS_37 | resource | aws_opsworks_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1256 | CKV2_AWS_37 | resource | aws_opsworks_java_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1257 | CKV2_AWS_37 | resource | aws_opsworks_memcached_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1258 | CKV2_AWS_37 | resource | aws_opsworks_mysql_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1259 | CKV2_AWS_37 | resource | aws_opsworks_nodejs_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1260 | CKV2_AWS_37 | resource | aws_opsworks_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1261 | CKV2_AWS_37 | resource | aws_opsworks_php_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1262 | CKV2_AWS_37 | resource | aws_opsworks_rails_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1263 | CKV2_AWS_37 | resource | aws_opsworks_rds_db_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1264 | CKV2_AWS_37 | resource | aws_opsworks_stack | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1265 | CKV2_AWS_37 | resource | aws_opsworks_static_web_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1266 | CKV2_AWS_37 | resource | aws_opsworks_user_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1267 | CKV2_AWS_37 | resource | aws_organizations_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1268 | CKV2_AWS_37 | resource | aws_organizations_organization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1269 | CKV2_AWS_37 | resource | aws_organizations_organizational_unit | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1270 | CKV2_AWS_37 | resource | aws_organizations_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1271 | CKV2_AWS_37 | resource | aws_organizations_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1272 | CKV2_AWS_37 | resource | aws_pinpoint_adm_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1273 | CKV2_AWS_37 | resource | aws_pinpoint_apns_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1274 | CKV2_AWS_37 | resource | aws_pinpoint_apns_sandbox_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1275 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1276 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_sandbox_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1277 | CKV2_AWS_37 | resource | aws_pinpoint_app | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1278 | CKV2_AWS_37 | resource | aws_pinpoint_baidu_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1279 | CKV2_AWS_37 | resource | aws_pinpoint_email_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1280 | CKV2_AWS_37 | resource | aws_pinpoint_event_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1281 | CKV2_AWS_37 | resource | aws_pinpoint_gcm_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1282 | CKV2_AWS_37 | resource | aws_pinpoint_sms_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1283 | CKV2_AWS_37 | resource | aws_placement_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1284 | CKV2_AWS_37 | resource | aws_proxy_protocol_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1285 | CKV2_AWS_37 | resource | aws_qldb_ledger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1286 | CKV2_AWS_37 | resource | aws_quicksight_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1287 | CKV2_AWS_37 | resource | aws_quicksight_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1288 | CKV2_AWS_37 | resource | aws_ram_principal_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1289 | CKV2_AWS_37 | resource | aws_ram_resource_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1290 | CKV2_AWS_37 | resource | aws_ram_resource_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1291 | CKV2_AWS_37 | resource | aws_ram_resource_share_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1292 | CKV2_AWS_37 | resource | aws_rds_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1293 | CKV2_AWS_37 | resource | aws_rds_cluster_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1294 | CKV2_AWS_37 | resource | aws_rds_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1295 | CKV2_AWS_37 | resource | aws_rds_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1296 | CKV2_AWS_37 | resource | aws_rds_global_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1297 | CKV2_AWS_37 | resource | aws_redshift_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1298 | CKV2_AWS_37 | resource | aws_redshift_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1299 | CKV2_AWS_37 | resource | aws_redshift_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1300 | CKV2_AWS_37 | resource | aws_redshift_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1301 | CKV2_AWS_37 | resource | aws_redshift_snapshot_copy_grant | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1302 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1303 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1304 | CKV2_AWS_37 | resource | aws_redshift_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1305 | CKV2_AWS_37 | resource | aws_resourcegroups_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1306 | CKV2_AWS_37 | resource | aws_root | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1307 | CKV2_AWS_37 | resource | aws_root_access_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1308 | CKV2_AWS_37 | resource | aws_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1309 | CKV2_AWS_37 | resource | aws_route53_delegation_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1310 | CKV2_AWS_37 | resource | aws_route53_health_check | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1311 | CKV2_AWS_37 | resource | aws_route53_query_log | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1312 | CKV2_AWS_37 | resource | aws_route53_record | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1313 | CKV2_AWS_37 | resource | aws_route53_resolver_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1314 | CKV2_AWS_37 | resource | aws_route53_resolver_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1315 | CKV2_AWS_37 | resource | aws_route53_resolver_rule_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1316 | CKV2_AWS_37 | resource | aws_route53_vpc_association_authorization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1317 | CKV2_AWS_37 | resource | aws_route53_zone | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1318 | CKV2_AWS_37 | resource | aws_route53_zone_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1319 | CKV2_AWS_37 | resource | aws_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1320 | CKV2_AWS_37 | resource | aws_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1321 | CKV2_AWS_37 | resource | aws_s3_access_point | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1322 | CKV2_AWS_37 | resource | aws_s3_account_public_access_block | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1323 | CKV2_AWS_37 | resource | aws_s3_bucket | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1324 | CKV2_AWS_37 | resource | aws_s3_bucket_analytics_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1325 | CKV2_AWS_37 | resource | aws_s3_bucket_inventory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1326 | CKV2_AWS_37 | resource | aws_s3_bucket_metric | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1327 | CKV2_AWS_37 | resource | aws_s3_bucket_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1328 | CKV2_AWS_37 | resource | aws_s3_bucket_object | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1329 | CKV2_AWS_37 | resource | aws_s3_bucket_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1330 | CKV2_AWS_37 | resource | aws_s3_bucket_public_access_block | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1331 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1332 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1333 | CKV2_AWS_37 | resource | aws_sagemaker_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1334 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1335 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1336 | CKV2_AWS_37 | resource | aws_secretsmanager_secret | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1337 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_rotation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1338 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1339 | CKV2_AWS_37 | resource | aws_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1340 | CKV2_AWS_37 | resource | aws_security_group_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1341 | CKV2_AWS_37 | resource | aws_securityhub_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1342 | CKV2_AWS_37 | resource | aws_securityhub_member | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1343 | CKV2_AWS_37 | resource | aws_securityhub_product_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1344 | CKV2_AWS_37 | resource | aws_securityhub_standards_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1345 | CKV2_AWS_37 | resource | aws_service_discovery_http_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1346 | CKV2_AWS_37 | resource | aws_service_discovery_private_dns_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1347 | CKV2_AWS_37 | resource | aws_service_discovery_public_dns_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1348 | CKV2_AWS_37 | resource | aws_service_discovery_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1349 | CKV2_AWS_37 | resource | aws_servicecatalog_portfolio | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1350 | CKV2_AWS_37 | resource | aws_servicequotas_service_quota | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1351 | CKV2_AWS_37 | resource | aws_ses_active_receipt_rule_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1352 | CKV2_AWS_37 | resource | aws_ses_configuration_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1353 | CKV2_AWS_37 | resource | aws_ses_domain_dkim | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1354 | CKV2_AWS_37 | resource | aws_ses_domain_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1355 | CKV2_AWS_37 | resource | aws_ses_domain_identity_verification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1356 | CKV2_AWS_37 | resource | aws_ses_domain_mail_from | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1357 | CKV2_AWS_37 | resource | aws_ses_email_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1358 | CKV2_AWS_37 | resource | aws_ses_event_destination | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1359 | CKV2_AWS_37 | resource | aws_ses_identity_notification_topic | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1360 | CKV2_AWS_37 | resource | aws_ses_identity_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1361 | CKV2_AWS_37 | resource | aws_ses_receipt_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1362 | CKV2_AWS_37 | resource | aws_ses_receipt_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1363 | CKV2_AWS_37 | resource | aws_ses_receipt_rule_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1364 | CKV2_AWS_37 | resource | aws_ses_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1365 | CKV2_AWS_37 | resource | aws_sfn_activity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1366 | CKV2_AWS_37 | resource | aws_sfn_state_machine | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1367 | CKV2_AWS_37 | resource | aws_shield_protection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1368 | CKV2_AWS_37 | resource | aws_simpledb_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1369 | CKV2_AWS_37 | resource | aws_snapshot_create_volume_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1370 | CKV2_AWS_37 | resource | aws_sns_platform_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1371 | CKV2_AWS_37 | resource | aws_sns_sms_preferences | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1372 | CKV2_AWS_37 | resource | aws_sns_topic | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1373 | CKV2_AWS_37 | resource | aws_sns_topic_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1374 | CKV2_AWS_37 | resource | aws_sns_topic_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1375 | CKV2_AWS_37 | resource | aws_spot_datafeed_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1376 | CKV2_AWS_37 | resource | aws_spot_fleet_request | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1377 | CKV2_AWS_37 | resource | aws_spot_instance_request | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1378 | CKV2_AWS_37 | resource | aws_sqs_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1379 | CKV2_AWS_37 | resource | aws_sqs_queue_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1380 | CKV2_AWS_37 | resource | aws_ssm_activation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1381 | CKV2_AWS_37 | resource | aws_ssm_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1382 | CKV2_AWS_37 | resource | aws_ssm_document | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1383 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1384 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1385 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1386 | CKV2_AWS_37 | resource | aws_ssm_parameter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1387 | CKV2_AWS_37 | resource | aws_ssm_patch_baseline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1388 | CKV2_AWS_37 | resource | aws_ssm_patch_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1389 | CKV2_AWS_37 | resource | aws_ssm_resource_data_sync | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1390 | CKV2_AWS_37 | resource | aws_storagegateway_cache | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1391 | CKV2_AWS_37 | resource | aws_storagegateway_cached_iscsi_volume | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1392 | CKV2_AWS_37 | resource | aws_storagegateway_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1393 | CKV2_AWS_37 | resource | aws_storagegateway_nfs_file_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1394 | CKV2_AWS_37 | resource | aws_storagegateway_smb_file_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1395 | CKV2_AWS_37 | resource | aws_storagegateway_upload_buffer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1396 | CKV2_AWS_37 | resource | aws_storagegateway_working_storage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1397 | CKV2_AWS_37 | resource | aws_subnet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1398 | CKV2_AWS_37 | resource | aws_swf_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1399 | CKV2_AWS_37 | resource | aws_transfer_server | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1400 | CKV2_AWS_37 | resource | aws_transfer_ssh_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1401 | CKV2_AWS_37 | resource | aws_transfer_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1402 | CKV2_AWS_37 | resource | aws_volume_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1403 | CKV2_AWS_37 | resource | aws_vpc | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1404 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1405 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1406 | CKV2_AWS_37 | resource | aws_vpc_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1407 | CKV2_AWS_37 | resource | aws_vpc_endpoint_connection_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1408 | CKV2_AWS_37 | resource | aws_vpc_endpoint_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1409 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1410 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service_allowed_principal | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1411 | CKV2_AWS_37 | resource | aws_vpc_endpoint_subnet_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1412 | CKV2_AWS_37 | resource | aws_vpc_ipv4_cidr_block_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1413 | CKV2_AWS_37 | resource | aws_vpc_peering_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1414 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1415 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1416 | CKV2_AWS_37 | resource | aws_vpn_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1417 | CKV2_AWS_37 | resource | aws_vpn_connection_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1418 | CKV2_AWS_37 | resource | aws_vpn_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1419 | CKV2_AWS_37 | resource | aws_vpn_gateway_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1420 | CKV2_AWS_37 | resource | aws_vpn_gateway_route_propagation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1421 | CKV2_AWS_37 | resource | aws_waf_byte_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1422 | CKV2_AWS_37 | resource | aws_waf_geo_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1423 | CKV2_AWS_37 | resource | aws_waf_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1424 | CKV2_AWS_37 | resource | aws_waf_rate_based_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1425 | CKV2_AWS_37 | resource | aws_waf_regex_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1426 | CKV2_AWS_37 | resource | aws_waf_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1427 | CKV2_AWS_37 | resource | aws_waf_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1428 | CKV2_AWS_37 | resource | aws_waf_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1429 | CKV2_AWS_37 | resource | aws_waf_size_constraint_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1430 | CKV2_AWS_37 | resource | aws_waf_sql_injection_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1431 | CKV2_AWS_37 | resource | aws_waf_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1432 | CKV2_AWS_37 | resource | aws_waf_xss_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1433 | CKV2_AWS_37 | resource | aws_wafregional_byte_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1434 | CKV2_AWS_37 | resource | aws_wafregional_geo_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1435 | CKV2_AWS_37 | resource | aws_wafregional_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1436 | CKV2_AWS_37 | resource | aws_wafregional_rate_based_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1437 | CKV2_AWS_37 | resource | aws_wafregional_regex_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1438 | CKV2_AWS_37 | resource | aws_wafregional_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1439 | CKV2_AWS_37 | resource | aws_wafregional_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1440 | CKV2_AWS_37 | resource | aws_wafregional_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1441 | CKV2_AWS_37 | resource | aws_wafregional_size_constraint_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1442 | CKV2_AWS_37 | resource | aws_wafregional_sql_injection_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1443 | CKV2_AWS_37 | resource | aws_wafregional_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1444 | CKV2_AWS_37 | resource | aws_wafregional_web_acl_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1445 | CKV2_AWS_37 | resource | aws_wafregional_xss_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1446 | CKV2_AWS_37 | resource | aws_wafv2_ip_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1447 | CKV2_AWS_37 | resource | aws_wafv2_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1448 | CKV2_AWS_37 | resource | aws_wafv2_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1449 | CKV2_AWS_37 | resource | aws_wafv2_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1450 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1451 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_logging_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1452 | CKV2_AWS_37 | resource | aws_worklink_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1453 | CKV2_AWS_37 | resource | aws_worklink_website_certificate_authority_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1454 | CKV2_AWS_37 | resource | aws_workspaces_directory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1455 | CKV2_AWS_37 | resource | aws_workspaces_ip_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1456 | CKV2_AWS_37 | resource | aws_workspaces_workspace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1457 | CKV2_AWS_37 | resource | aws_xray_sampling_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1458 | CKV2_AWS_38 | resource | aws_route53_zone | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml) | +| 1459 | CKV2_AWS_39 | resource | aws_route53_zone | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml) | +| 1460 | CKV2_AWS_40 | resource | aws_iam_group_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1461 | CKV2_AWS_40 | resource | aws_iam_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1462 | CKV2_AWS_40 | resource | aws_iam_role_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1463 | CKV2_AWS_40 | resource | aws_iam_user_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1464 | CKV2_AWS_40 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1465 | CKV2_AWS_40 | resource | data.aws_iam_policy_document | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1466 | CKV2_AWS_41 | resource | aws_instance | Ensure an IAM role is attached to EC2 instance | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml) | +| 1467 | CKV2_AWS_42 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution uses custom SSL certificate | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml) | +| 1468 | CKV2_AWS_43 | resource | aws_s3_bucket_acl | Ensure S3 Bucket does not allow access to all Authenticated users | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml) | +| 1469 | CKV2_AWS_44 | resource | aws_route | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | +| 1470 | CKV2_AWS_44 | resource | aws_route_table | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | +| 1471 | CKV2_AWS_45 | resource | aws_config_configuration_recorder | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | +| 1472 | CKV2_AWS_45 | resource | aws_config_configuration_recorder_status | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | +| 1473 | CKV2_AWS_46 | resource | aws_cloudfront_distribution | Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml) | +| 1474 | CKV2_AWS_47 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | +| 1475 | CKV2_AWS_47 | resource | aws_wafv2_web_acl | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | +| 1476 | CKV2_AWS_48 | resource | aws_config_configuration_recorder | Ensure AWS Config must record all possible resources | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml) | +| 1477 | CKV2_AWS_49 | resource | aws_dms_endpoint | Ensure AWS Database Migration Service endpoints have SSL configured | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) | +| 1478 | CKV2_AWS_50 | resource | aws_elasticache_replication_group | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml) | +| 1479 | CKV2_AWS_51 | resource | aws_api_gateway_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1480 | CKV2_AWS_51 | resource | aws_apigatewayv2_api | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1481 | CKV2_AWS_51 | resource | aws_apigatewayv2_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1482 | CKV2_AWS_52 | resource | aws_elasticsearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | +| 1483 | CKV2_AWS_52 | resource | aws_opensearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | +| 1484 | CKV2_AWS_53 | resource | aws_api_gateway_method | Ensure AWS API gateway request is validated | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml) | +| 1485 | CKV2_AWS_54 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml) | +| 1486 | CKV2_AWS_55 | resource | aws_emr_cluster | Ensure AWS EMR cluster is configured with security configuration | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml) | +| 1487 | CKV2_AWS_56 | resource | aws_iam_group_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1488 | CKV2_AWS_56 | resource | aws_iam_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1489 | CKV2_AWS_56 | resource | aws_iam_role | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1490 | CKV2_AWS_56 | resource | aws_iam_role_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1491 | CKV2_AWS_56 | resource | aws_iam_user_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1492 | CKV2_AWS_56 | resource | aws_ssoadmin_managed_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1493 | CKV2_AWS_56 | resource | data.aws_iam_policy | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1494 | CKV2_AWS_57 | resource | aws_secretsmanager_secret | Ensure Secrets Manager secrets should have automatic rotation enabled | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml) | +| 1495 | CKV2_AWS_58 | resource | aws_neptune_cluster | Ensure AWS Neptune cluster deletion protection is enabled | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml) | +| 1496 | CKV2_AWS_59 | resource | aws_elasticsearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | +| 1497 | CKV2_AWS_59 | resource | aws_opensearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | +| 1498 | CKV2_AWS_60 | resource | aws_db_instance | Ensure RDS instance with copy tags to snapshots is enabled | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml) | +| 1499 | CKV2_AWS_61 | resource | aws_s3_bucket | Ensure that an S3 bucket has a lifecycle configuration | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml) | +| 1500 | CKV2_AWS_62 | resource | aws_s3_bucket | Ensure S3 buckets should have event notifications enabled | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml) | +| 1501 | CKV2_AWS_63 | resource | aws_networkfirewall_firewall | Ensure Network firewall has logging configuration defined | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml) | +| 1502 | CKV2_AWS_64 | resource | aws_kms_key | Ensure KMS key Policy is defined | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml) | +| 1503 | CKV2_AWS_65 | resource | aws_s3_bucket_ownership_controls | Ensure access control lists for S3 buckets are disabled | Terraform | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml) | +| 1504 | CKV2_AWS_66 | resource | aws_mwaa_environment | Ensure MWAA environment is not publicly accessible | Terraform | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml) | +| 1505 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | +| 1506 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | +| 1507 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | +| 1508 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | +| 1509 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | +| 1510 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | +| 1511 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py) | +| 1512 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py) | +| 1513 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py) | +| 1514 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'enable_https_traffic_only' is enabled | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py) | +| 1515 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | +| 1516 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | +| 1517 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py) | +| 1518 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | +| 1519 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | +| 1520 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py) | +| 1521 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | +| 1522 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | +| 1523 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py) | +| 1524 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | +| 1525 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | +| 1526 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py) | +| 1527 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | +| 1528 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | +| 1529 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py) | +| 1530 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 1531 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 1532 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 1533 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 1534 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | +| 1535 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | +| 1536 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 1537 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 1538 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 1539 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 1540 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | +| 1541 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | +| 1542 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | +| 1543 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | +| 1544 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1545 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1546 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1547 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1548 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1549 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1550 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1551 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1552 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1553 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1554 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1555 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1556 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py) | +| 1557 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 1558 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 1559 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1560 | CKV_AZURE_13 | resource | azurerm_linux_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1561 | CKV_AZURE_13 | resource | azurerm_windows_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1562 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 1563 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 1564 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | +| 1565 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | +| 1566 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1567 | CKV_AZURE_14 | resource | azurerm_linux_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1568 | CKV_AZURE_14 | resource | azurerm_windows_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1569 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | +| 1570 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | +| 1571 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1572 | CKV_AZURE_15 | resource | azurerm_linux_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1573 | CKV_AZURE_15 | resource | azurerm_windows_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1574 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | +| 1575 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | +| 1576 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1577 | CKV_AZURE_16 | resource | azurerm_linux_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1578 | CKV_AZURE_16 | resource | azurerm_windows_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1579 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | +| 1580 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | +| 1581 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1582 | CKV_AZURE_17 | resource | azurerm_linux_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1583 | CKV_AZURE_17 | resource | azurerm_windows_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1584 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | +| 1585 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | +| 1586 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1587 | CKV_AZURE_18 | resource | azurerm_linux_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1588 | CKV_AZURE_18 | resource | azurerm_windows_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1589 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | +| 1590 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | +| 1591 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py) | +| 1592 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | +| 1593 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | +| 1594 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py) | +| 1595 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | +| 1596 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | +| 1597 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py) | +| 1598 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | +| 1599 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | +| 1600 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py) | +| 1601 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | +| 1602 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 1603 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 1604 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | +| 1605 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 1606 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 1607 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1608 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1609 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1610 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py) | +| 1611 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py) | +| 1612 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1613 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1614 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1615 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | +| 1616 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | +| 1617 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py) | +| 1618 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | +| 1619 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | +| 1620 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py) | +| 1621 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | +| 1622 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | +| 1623 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py) | +| 1624 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | +| 1625 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | +| 1626 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py) | +| 1627 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | +| 1628 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | +| 1629 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py) | +| 1630 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1631 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1632 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1633 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1634 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1635 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 1636 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 1637 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py) | +| 1638 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 1639 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 1640 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1641 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1642 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1643 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1644 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1645 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | +| 1646 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | +| 1647 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py) | +| 1648 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1649 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1650 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py) | +| 1651 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1652 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1653 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1654 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1655 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py) | +| 1656 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1657 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1658 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1659 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py) | +| 1660 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1661 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1662 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1663 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | +| 1664 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | +| 1665 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py) | +| 1666 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | arm | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | +| 1667 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | Bicep | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | +| 1668 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py) | +| 1669 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | +| 1670 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | +| 1671 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py) | +| 1672 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | arm | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | +| 1673 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | Bicep | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | +| 1674 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py) | +| 1675 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | +| 1676 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | +| 1677 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py) | +| 1678 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | +| 1679 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | +| 1680 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py) | +| 1681 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py) | +| 1682 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py) | +| 1683 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py) | +| 1684 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | +| 1685 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | +| 1686 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py) | +| 1687 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py) | +| 1688 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | +| 1689 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | +| 1690 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py) | +| 1691 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | arm | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | +| 1692 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | Bicep | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | +| 1693 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | +| 1694 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | +| 1695 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py) | +| 1696 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py) | +| 1697 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py) | +| 1698 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py) | +| 1699 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py) | +| 1700 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1701 | CKV_AZURE_57 | resource | azurerm_linux_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1702 | CKV_AZURE_57 | resource | azurerm_windows_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1703 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | arm | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 1704 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | Bicep | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 1705 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 1706 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | arm | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | +| 1707 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | Bicep | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | +| 1708 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py) | +| 1709 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py) | +| 1710 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py) | +| 1711 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | arm | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | +| 1712 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | Bicep | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | +| 1713 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1714 | CKV_AZURE_63 | resource | azurerm_linux_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1715 | CKV_AZURE_63 | resource | azurerm_windows_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1716 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py) | +| 1717 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | arm | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | +| 1718 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | +| 1719 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1720 | CKV_AZURE_65 | resource | azurerm_linux_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1721 | CKV_AZURE_65 | resource | azurerm_windows_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1722 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | arm | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | +| 1723 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | +| 1724 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1725 | CKV_AZURE_66 | resource | azurerm_linux_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1726 | CKV_AZURE_66 | resource | azurerm_windows_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1727 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | +| 1728 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | +| 1729 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py) | +| 1730 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py) | +| 1731 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1732 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1733 | CKV_AZURE_71 | resource | azurerm_linux_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1734 | CKV_AZURE_71 | resource | azurerm_windows_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1735 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1736 | CKV_AZURE_72 | resource | azurerm_linux_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1737 | CKV_AZURE_72 | resource | azurerm_windows_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1738 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1739 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1740 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1741 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1742 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py) | +| 1743 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py) | +| 1744 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py) | +| 1745 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | +| 1746 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | +| 1747 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1748 | CKV_AZURE_78 | resource | azurerm_linux_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1749 | CKV_AZURE_78 | resource | azurerm_windows_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1750 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py) | +| 1751 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | arm | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | +| 1752 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | +| 1753 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | +| 1754 | CKV_AZURE_80 | resource | azurerm_windows_web_app | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | +| 1755 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py) | +| 1756 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py) | +| 1757 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py) | +| 1758 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py) | +| 1759 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py) | +| 1760 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py) | +| 1761 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py) | +| 1762 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | arm | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | +| 1763 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | Bicep | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | +| 1764 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1765 | CKV_AZURE_88 | resource | azurerm_linux_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1766 | CKV_AZURE_88 | resource | azurerm_windows_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1767 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | arm | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | +| 1768 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | +| 1769 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py) | +| 1770 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py) | +| 1771 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | +| 1772 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | +| 1773 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | +| 1774 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | +| 1775 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py) | +| 1776 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | arm | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | +| 1777 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | +| 1778 | CKV_AZURE_94 | resource | azurerm_mysql_flexible_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | +| 1779 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | +| 1780 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | arm | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 1781 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Bicep | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 1782 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 1783 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | [MySQLEncryptionEnaled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnaled.py) | +| 1784 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | +| 1785 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | +| 1786 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py) | +| 1787 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py) | +| 1788 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | arm | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | +| 1789 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | +| 1790 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py) | +| 1791 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | arm | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | +| 1792 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | +| 1793 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py) | +| 1794 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py) | +| 1795 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py) | +| 1796 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py) | +| 1797 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py) | +| 1798 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py) | +| 1799 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | arm | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | +| 1800 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | +| 1801 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py) | +| 1802 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py) | +| 1803 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | arm | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | +| 1804 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | +| 1805 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py) | +| 1806 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py) | +| 1807 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | arm | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | +| 1808 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | +| 1809 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py) | +| 1810 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | arm | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | +| 1811 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | +| 1812 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py) | +| 1813 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | arm | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | +| 1814 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | +| 1815 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py) | +| 1816 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | arm | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | +| 1817 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | +| 1818 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py) | +| 1819 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py) | +| 1820 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py) | +| 1821 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py) | +| 1822 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py) | +| 1823 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml) | +| 1824 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | +| 1825 | CKV_AZURE_120 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | +| 1826 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | arm | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | +| 1827 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | +| 1828 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py) | +| 1829 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py) | +| 1830 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | arm | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | +| 1831 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | +| 1832 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py) | +| 1833 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py) | +| 1834 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py) | +| 1835 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py) | +| 1836 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py) | +| 1837 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py) | +| 1838 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py) | +| 1839 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | arm | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | +| 1840 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | +| 1841 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py) | +| 1842 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py) | +| 1843 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py) | +| 1844 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py) | +| 1845 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | +| 1846 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | +| 1847 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py) | +| 1848 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py) | +| 1849 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | arm | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | +| 1850 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | +| 1851 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py) | +| 1852 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py) | +| 1853 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py) | +| 1854 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py) | +| 1855 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py) | +| 1856 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py) | +| 1857 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py) | +| 1858 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py) | +| 1859 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py) | +| 1860 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py) | +| 1861 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py) | +| 1862 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1863 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py) | +| 1864 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py) | +| 1865 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py) | +| 1866 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 1867 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 1868 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 1869 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 1870 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | +| 1871 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | +| 1872 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py) | +| 1873 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | arm | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | +| 1874 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | +| 1875 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | +| 1876 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | +| 1877 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1878 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | +| 1879 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | +| 1880 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | +| 1881 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | +| 1882 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | +| 1883 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1884 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1885 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1886 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1887 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1888 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1889 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1890 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1891 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | +| 1892 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | +| 1893 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | +| 1894 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | +| 1895 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | +| 1896 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | +| 1897 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | +| 1898 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1899 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1900 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | +| 1901 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | +| 1902 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | +| 1903 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | +| 1904 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | +| 1905 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | +| 1906 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | +| 1907 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | +| 1908 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1909 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1910 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1911 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1912 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1913 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1914 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1915 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1916 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | +| 1917 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | +| 1918 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1919 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1920 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | +| 1921 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | +| 1922 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | +| 1923 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | +| 1924 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | +| 1925 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | +| 1926 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | +| 1927 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | +| 1928 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | +| 1929 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | +| 1930 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | +| 1931 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | +| 1932 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | +| 1933 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | +| 1934 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | +| 1935 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | +| 1936 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | +| 1937 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | +| 1938 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | +| 1939 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | +| 1940 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | +| 1941 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | +| 1942 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | +| 1943 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | +| 1944 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | +| 1945 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | +| 1946 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | +| 1947 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | +| 1948 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | +| 1949 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | +| 1950 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1951 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1952 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1953 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1954 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1955 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | +| 1956 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 1957 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 1958 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | +| 1959 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | +| 1960 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | +| 1961 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | +| 1962 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | +| 1963 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1964 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1965 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1966 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1967 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1968 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1969 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | +| 1970 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | +| 1971 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | +| 1972 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | +| 1973 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1974 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1975 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | +| 1976 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1977 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1978 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1979 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1980 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1981 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1982 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1983 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1984 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1985 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1986 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1987 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1988 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1989 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1990 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 1991 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 1992 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | +| 1993 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1994 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1995 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1996 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | +| 1997 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 1998 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 1999 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | +| 2000 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | +| 2001 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 2002 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 2003 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 2004 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 2005 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | +| 2006 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 2007 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 2008 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 2009 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 2010 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | +| 2011 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2012 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2013 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2014 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2015 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2016 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2017 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 2018 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 2019 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | +| 2020 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | +| 2021 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | +| 2022 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | +| 2023 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | +| 2024 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | arm | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| 2025 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| 2026 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | +| 2027 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | +| 2028 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | +| 2029 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | +| 2030 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | +| 2031 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | +| 2032 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | +| 2033 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | +| 2034 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | +| 2035 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | +| 2036 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | +| 2037 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | +| 2038 | CKV_AZUREPIPELINES_1 | azure_pipelines | jobs | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | +| 2039 | CKV_AZUREPIPELINES_1 | azure_pipelines | stages[].jobs[] | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | +| 2040 | CKV_AZUREPIPELINES_2 | azure_pipelines | jobs | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | +| 2041 | CKV_AZUREPIPELINES_2 | azure_pipelines | stages[].jobs[] | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | +| 2042 | CKV_AZUREPIPELINES_3 | azure_pipelines | jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | +| 2043 | CKV_AZUREPIPELINES_3 | azure_pipelines | stages[].jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | +| 2044 | CKV_AZUREPIPELINES_5 | azure_pipelines | *.container[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2045 | CKV_AZUREPIPELINES_5 | azure_pipelines | jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2046 | CKV_AZUREPIPELINES_5 | azure_pipelines | stages[].jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2047 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | +| 2048 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket/checks/merge_requests_approvals.py) | +| 2049 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | [{image:image,__startline__:__startline__,__endline__:__endline__}] | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2050 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2051 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2052 | CKV_CIRCLECIPIPELINES_1 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | circleci_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/latest_image.py) | +| 2053 | CKV_CIRCLECIPIPELINES_2 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image version is referenced via hash not arbitrary tag. | circleci_pipelines | [image_version_not_hash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/image_version_not_hash.py) | +| 2054 | CKV_CIRCLECIPIPELINES_3 | circleci_pipelines | orbs.{orbs: @} | Ensure mutable development orbs are not used. | circleci_pipelines | [prevent_development_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_development_orbs.py) | +| 2055 | CKV_CIRCLECIPIPELINES_4 | circleci_pipelines | orbs.{orbs: @} | Ensure unversioned volatile orbs are not used. | circleci_pipelines | [prevent_volatile_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_volatile_orbs.py) | +| 2056 | CKV_CIRCLECIPIPELINES_5 | circleci_pipelines | jobs.*.steps[] | Suspicious use of netcat with IP address | circleci_pipelines | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ReverseShellNetcat.py) | +| 2057 | CKV_CIRCLECIPIPELINES_6 | circleci_pipelines | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | circleci_pipelines | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ShellInjection.py) | +| 2058 | CKV_CIRCLECIPIPELINES_7 | circleci_pipelines | jobs.*.steps[] | Suspicious use of curl in run task | circleci_pipelines | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/SuspectCurlInScript.py) | +| 2059 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | +| 2060 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | +| 2061 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | +| 2062 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | +| 2063 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | +| 2064 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | +| 2065 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | [ExposePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ExposePort22.py) | +| 2066 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | [HealthcheckExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/HealthcheckExists.py) | +| 2067 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | [UserExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UserExists.py) | +| 2068 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | [AddExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AddExists.py) | +| 2069 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | [UpdateNotAlone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UpdateNotAlone.py) | +| 2070 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | [MaintainerExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/MaintainerExists.py) | +| 2071 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | [ReferenceLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ReferenceLatestTag.py) | +| 2072 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | [RootUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RootUser.py) | +| 2073 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile | [RunUsingAPT.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py) | +| 2074 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile | [WorkdirIsAbsolute.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/WorkdirIsAbsolute.py) | +| 2075 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile | [AliasIsUnique.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AliasIsUnique.py) | +| 2076 | CKV2_DOCKER_1 | resource | RUN | Ensure that sudo isn't used | dockerfile | [RunUsingSudo.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUsingSudo.yaml) | +| 2077 | CKV2_DOCKER_2 | resource | RUN | Ensure that certificate validation isn't disabled with curl | dockerfile | [RunUnsafeCurl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeCurl.yaml) | +| 2078 | CKV2_DOCKER_3 | resource | RUN | Ensure that certificate validation isn't disabled with wget | dockerfile | [RunUnsafeWget.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeWget.yaml) | +| 2079 | CKV2_DOCKER_4 | resource | RUN | Ensure that certificate validation isn't disabled with the pip '--trusted-host' option | dockerfile | [RunPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunPipTrustedHost.yaml) | +| 2080 | CKV2_DOCKER_5 | resource | ARG | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2081 | CKV2_DOCKER_5 | resource | ENV | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2082 | CKV2_DOCKER_5 | resource | RUN | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2083 | CKV2_DOCKER_6 | resource | ARG | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2084 | CKV2_DOCKER_6 | resource | ENV | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2085 | CKV2_DOCKER_6 | resource | RUN | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2086 | CKV2_DOCKER_7 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option | dockerfile | [RunApkAllowUntrusted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunApkAllowUntrusted.yaml) | +| 2087 | CKV2_DOCKER_8 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option | dockerfile | [RunAptGetAllowUnauthenticated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetAllowUnauthenticated.yaml) | +| 2088 | CKV2_DOCKER_9 | resource | RUN | Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option | dockerfile | [RunYumNoGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumNoGpgCheck.yaml) | +| 2089 | CKV2_DOCKER_10 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options | dockerfile | [RunRpmNoSignature.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunRpmNoSignature.yaml) | +| 2090 | CKV2_DOCKER_11 | resource | RUN | Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | dockerfile | [RunAptGetForceYes.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetForceYes.yaml) | +| 2091 | CKV2_DOCKER_12 | resource | ARG | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2092 | CKV2_DOCKER_12 | resource | ENV | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2093 | CKV2_DOCKER_12 | resource | RUN | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2094 | CKV2_DOCKER_13 | resource | RUN | Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false | dockerfile | [RunNpmConfigSetStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunNpmConfigSetStrictSsl.yaml) | +| 2095 | CKV2_DOCKER_14 | resource | ARG | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2096 | CKV2_DOCKER_14 | resource | ENV | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2097 | CKV2_DOCKER_14 | resource | RUN | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2098 | CKV2_DOCKER_15 | resource | RUN | Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option | dockerfile | [RunYumConfigManagerSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumConfigManagerSslVerify.yaml) | +| 2099 | CKV2_DOCKER_16 | resource | ARG | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2100 | CKV2_DOCKER_16 | resource | ENV | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2101 | CKV2_DOCKER_16 | resource | RUN | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2102 | CKV2_DOCKER_17 | resource | RUN | Ensure that 'chpasswd' is not used to set or remove passwords | dockerfile | [RunChpasswd.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml) | +| 2103 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | +| 2104 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | +| 2105 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | +| 2106 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | +| 2107 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | +| 2108 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | +| 2109 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | +| 2110 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | +| 2111 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | +| 2112 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | +| 2113 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | +| 2114 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | +| 2115 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | +| 2116 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | +| 2117 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | +| 2118 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | +| 2119 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | +| 2120 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py) | +| 2121 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | +| 2122 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | +| 2123 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | +| 2124 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | +| 2125 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | +| 2126 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | +| 2127 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | +| 2128 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | +| 2129 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 2130 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 2131 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | +| 2132 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2133 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2134 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2135 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2136 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2137 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2138 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2139 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2140 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2141 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | +| 2142 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2143 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2144 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2145 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2146 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2147 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2148 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2149 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2150 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2151 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | +| 2152 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | +| 2153 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2154 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2155 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2156 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2157 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2158 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2159 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 2160 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 2161 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | +| 2162 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | +| 2163 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 2164 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 2165 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 2166 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 2167 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 2168 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 2169 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 2170 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 2171 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 2172 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 2173 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 2174 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 2175 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | +| 2176 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | +| 2177 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | +| 2178 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | +| 2179 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | +| 2180 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | +| 2181 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | +| 2182 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | +| 2183 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | +| 2184 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | +| 2185 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | +| 2186 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | +| 2187 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | +| 2188 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | +| 2189 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | +| 2190 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | +| 2191 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | +| 2192 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 2193 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 2194 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 2195 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 2196 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | +| 2197 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | +| 2198 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 2199 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 2200 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | +| 2201 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | +| 2202 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | +| 2203 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | +| 2204 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | +| 2205 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | +| 2206 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | +| 2207 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | +| 2208 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | +| 2209 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | +| 2210 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | +| 2211 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | +| 2212 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | +| 2213 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | +| 2214 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | +| 2215 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | +| 2216 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | +| 2217 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | +| 2218 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | +| 2219 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | +| 2220 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | +| 2221 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | +| 2222 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | +| 2223 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | +| 2224 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | +| 2225 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 2226 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 2227 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 2228 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 2229 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 2230 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 2231 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 2232 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 2233 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 2234 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 2235 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | +| 2236 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | +| 2237 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | +| 2238 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | +| 2239 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2240 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2241 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2242 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2243 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | +| 2244 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | +| 2245 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | +| 2246 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | +| 2247 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2248 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2249 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2250 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | +| 2251 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | +| 2252 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 2253 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 2254 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 2255 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 2256 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 2257 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 2258 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | +| 2259 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | +| 2260 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | +| 2261 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | +| 2262 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2263 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2264 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2265 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2266 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 2267 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 2268 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2269 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2270 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2271 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 2272 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 2273 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2274 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2275 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2276 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2277 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2278 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2279 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | +| 2280 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | +| 2281 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | +| 2282 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | +| 2283 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | +| 2284 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | +| 2285 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | +| 2286 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | +| 2287 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | +| 2288 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | +| 2289 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | +| 2290 | CKV_GHA_1 | jobs | jobs | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | +| 2291 | CKV_GHA_1 | jobs | jobs.*.steps[] | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | +| 2292 | CKV_GHA_2 | jobs | jobs | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | +| 2293 | CKV_GHA_2 | jobs | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | +| 2294 | CKV_GHA_3 | jobs | jobs | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | +| 2295 | CKV_GHA_3 | jobs | jobs.*.steps[] | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | +| 2296 | CKV_GHA_4 | jobs | jobs | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | +| 2297 | CKV_GHA_4 | jobs | jobs.*.steps[] | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | +| 2298 | CKV_GHA_5 | jobs | jobs | Found artifact build without evidence of cosign sign execution in pipeline | github_actions | [CosignArtifacts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignArtifacts.py) | +| 2299 | CKV_GHA_6 | jobs | jobs | Found artifact build without evidence of cosign sbom attestation in pipeline | github_actions | [CosignSBOM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignSBOM.py) | +| 2300 | CKV_GHA_7 | jobs | on | The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. | github_actions | [EmptyWorkflowDispatch.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/EmptyWorkflowDispatch.py) | +| 2301 | CKV2_GHA_1 | resource | permissions | Ensure top-level permissions are not set to write-all | github_actions | [ReadOnlyTopLevelPermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/graph_checks/ReadOnlyTopLevelPermissions.yaml) | +| 2302 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | +| 2303 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | +| 2304 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | +| 2305 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2306 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2307 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2308 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 2309 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 2310 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 2311 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 2312 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | +| 2313 | CKV_GITHUB_1 | github_configuration | * | Ensure GitHub organization security settings require 2FA | github_configuration | [2fa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/2fa.py) | +| 2314 | CKV_GITHUB_2 | github_configuration | * | Ensure GitHub organization security settings require SSO | github_configuration | [sso.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/sso.py) | +| 2315 | CKV_GITHUB_3 | github_configuration | * | Ensure GitHub organization security settings has IP allow list enabled | github_configuration | [ipallowlist.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/ipallowlist.py) | +| 2316 | CKV_GITHUB_4 | github_configuration | * | Ensure GitHub branch protection rules requires signed commits | github_configuration | [require_signatures.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_signatures.py) | +| 2317 | CKV_GITHUB_5 | github_configuration | * | Ensure GitHub branch protection rules does not allow force pushes | github_configuration | [disallow_force_pushes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_force_pushes.py) | +| 2318 | CKV_GITHUB_6 | github_configuration | * | Ensure GitHub organization webhooks are using HTTPS | github_configuration | [webhooks_https_orgs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_orgs.py) | +| 2319 | CKV_GITHUB_7 | github_configuration | * | Ensure GitHub repository webhooks are using HTTPS | github_configuration | [webhooks_https_repos.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_repos.py) | +| 2320 | CKV_GITHUB_8 | github_configuration | * | Ensure GitHub branch protection rules requires linear history | github_configuration | [require_linear_history.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_linear_history.py) | +| 2321 | CKV_GITHUB_9 | github_configuration | * | Ensure 2 admins are set for each repository | github_configuration | [repository_collaborators.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/repository_collaborators.py) | +| 2322 | CKV_GITHUB_10 | github_configuration | * | Ensure branch protection rules are enforced on administrators | github_configuration | [enforce_branch_protection_admins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/enforce_branch_protection_admins.py) | +| 2323 | CKV_GITHUB_11 | github_configuration | * | Ensure GitHub branch protection dismisses stale review on new commit | github_configuration | [dismiss_stale_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/dismiss_stale_reviews.py) | +| 2324 | CKV_GITHUB_12 | github_configuration | * | Ensure GitHub branch protection restricts who can dismiss PR reviews | github_configuration | [restrict_pr_review_dismissal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/restrict_pr_review_dismissal.py) | +| 2325 | CKV_GITHUB_13 | github_configuration | * | Ensure GitHub branch protection requires CODEOWNER reviews | github_configuration | [require_code_owner_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_code_owner_reviews.py) | +| 2326 | CKV_GITHUB_14 | github_configuration | * | Ensure all checks have passed before the merge of new code | github_configuration | [require_status_checks_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_status_checks_pr.py) | +| 2327 | CKV_GITHUB_15 | github_configuration | * | Ensure inactive branches are reviewed and removed periodically | github_configuration | [disallow_inactive_branch_60days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_inactive_branch_60days.py) | +| 2328 | CKV_GITHUB_16 | github_configuration | * | Ensure GitHub branch protection requires conversation resolution | github_configuration | [require_conversation_resolution.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_conversation_resolution.py) | +| 2329 | CKV_GITHUB_17 | github_configuration | * | Ensure GitHub branch protection requires push restrictions | github_configuration | [require_push_restrictions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_push_restrictions.py) | +| 2330 | CKV_GITHUB_18 | github_configuration | * | Ensure GitHub branch protection rules does not allow deletions | github_configuration | [disallow_branch_deletions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_branch_deletions.py) | +| 2331 | CKV_GITHUB_19 | github_configuration | * | Ensure any change to code receives approval of two strongly authenticated users | github_configuration | [require_2approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_2approvals.py) | +| 2332 | CKV_GITHUB_20 | github_configuration | * | Ensure open git branches are up to date before they can be merged into codebase | github_configuration | [require_updated_branch_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_updated_branch_pr.py) | +| 2333 | CKV_GITHUB_21 | github_configuration | * | Ensure public repository creation is limited to specific members | github_configuration | [public_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/public_repository_creation_is_limited.py) | +| 2334 | CKV_GITHUB_22 | github_configuration | * | Ensure private repository creation is limited to specific members | github_configuration | [private_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/private_repository_creation_is_limited.py) | +| 2335 | CKV_GITHUB_23 | github_configuration | * | Ensure internal repository creation is limited to specific members | github_configuration | [internal_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/internal_repository_creation_is_limited.py) | +| 2336 | CKV_GITHUB_26 | github_configuration | * | Ensure minimum admins are set for the organization | github_configuration | [minimum_admins_in_org.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/minimum_admins_in_org.py) | +| 2337 | CKV_GITHUB_27 | github_configuration | * | Ensure strict base permissions are set for repositories | github_configuration | [require_strict_base_permissions_repository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_strict_base_permissions_repository.py) | +| 2338 | CKV_GITHUB_28 | github_configuration | * | Ensure an organization's identity is confirmed with a Verified badge Passed | github_configuration | [require_verified_organization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_verified_organization.py) | +| 2339 | CKV_GITLAB_1 | gitlab_configuration | * | Merge requests should require at least 2 approvals | gitlab_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/merge_requests_approvals.py) | +| 2340 | CKV_GITLAB_2 | gitlab_configuration | * | Ensure all Gitlab groups require two factor authentication | gitlab_configuration | [two_factor_authentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/two_factor_authentication.py) | +| 2341 | CKV_GITLABCI_1 | jobs | *.script[] | Suspicious use of curl with CI environment variables in script | gitlab_ci | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/SuspectCurlInScript.py) | +| 2342 | CKV_GITLABCI_2 | jobs | *.rules | Avoid creating rules that generate double pipelines | gitlab_ci | [AvoidDoublePipelines.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/AvoidDoublePipelines.py) | +| 2343 | CKV_GITLABCI_3 | jobs | *.image[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | +| 2344 | CKV_GITLABCI_3 | jobs | *.services[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | +| 2345 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | +| 2346 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | +| 2347 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | +| 2348 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | +| 2349 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py) | +| 2350 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | +| 2351 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | [PrivilegedContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py) | +| 2352 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | +| 2353 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py) | +| 2354 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | +| 2355 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py) | +| 2356 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | +| 2357 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py) | +| 2358 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | +| 2359 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | [RootContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py) | +| 2360 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | +| 2361 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilitiesPSP.py) | +| 2362 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | +| 2363 | CKV_K8S_8 | resource | DaemonSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2364 | CKV_K8S_8 | resource | Deployment | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2365 | CKV_K8S_8 | resource | DeploymentConfig | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2366 | CKV_K8S_8 | resource | Pod | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2367 | CKV_K8S_8 | resource | PodTemplate | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2368 | CKV_K8S_8 | resource | ReplicaSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2369 | CKV_K8S_8 | resource | ReplicationController | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2370 | CKV_K8S_8 | resource | StatefulSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2371 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2372 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2373 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2374 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2375 | CKV_K8S_9 | resource | DaemonSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2376 | CKV_K8S_9 | resource | Deployment | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2377 | CKV_K8S_9 | resource | DeploymentConfig | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2378 | CKV_K8S_9 | resource | Pod | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2379 | CKV_K8S_9 | resource | PodTemplate | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2380 | CKV_K8S_9 | resource | ReplicaSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2381 | CKV_K8S_9 | resource | ReplicationController | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2382 | CKV_K8S_9 | resource | StatefulSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2383 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2384 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2385 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2386 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2387 | CKV_K8S_10 | resource | CronJob | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2388 | CKV_K8S_10 | resource | DaemonSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2389 | CKV_K8S_10 | resource | Deployment | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2390 | CKV_K8S_10 | resource | DeploymentConfig | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2391 | CKV_K8S_10 | resource | Job | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2392 | CKV_K8S_10 | resource | Pod | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2393 | CKV_K8S_10 | resource | PodTemplate | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2394 | CKV_K8S_10 | resource | ReplicaSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2395 | CKV_K8S_10 | resource | ReplicationController | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2396 | CKV_K8S_10 | resource | StatefulSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2397 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2398 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2399 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2400 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2401 | CKV_K8S_11 | resource | CronJob | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2402 | CKV_K8S_11 | resource | DaemonSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2403 | CKV_K8S_11 | resource | Deployment | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2404 | CKV_K8S_11 | resource | DeploymentConfig | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2405 | CKV_K8S_11 | resource | Job | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2406 | CKV_K8S_11 | resource | Pod | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2407 | CKV_K8S_11 | resource | PodTemplate | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2408 | CKV_K8S_11 | resource | ReplicaSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2409 | CKV_K8S_11 | resource | ReplicationController | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2410 | CKV_K8S_11 | resource | StatefulSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2411 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2412 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2413 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2414 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2415 | CKV_K8S_12 | resource | CronJob | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2416 | CKV_K8S_12 | resource | DaemonSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2417 | CKV_K8S_12 | resource | Deployment | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2418 | CKV_K8S_12 | resource | DeploymentConfig | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2419 | CKV_K8S_12 | resource | Job | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2420 | CKV_K8S_12 | resource | Pod | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2421 | CKV_K8S_12 | resource | PodTemplate | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2422 | CKV_K8S_12 | resource | ReplicaSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2423 | CKV_K8S_12 | resource | ReplicationController | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2424 | CKV_K8S_12 | resource | StatefulSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2425 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2426 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2427 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2428 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2429 | CKV_K8S_13 | resource | CronJob | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2430 | CKV_K8S_13 | resource | DaemonSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2431 | CKV_K8S_13 | resource | Deployment | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2432 | CKV_K8S_13 | resource | DeploymentConfig | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2433 | CKV_K8S_13 | resource | Job | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2434 | CKV_K8S_13 | resource | Pod | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2435 | CKV_K8S_13 | resource | PodTemplate | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2436 | CKV_K8S_13 | resource | ReplicaSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2437 | CKV_K8S_13 | resource | ReplicationController | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2438 | CKV_K8S_13 | resource | StatefulSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2439 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2440 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2441 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2442 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2443 | CKV_K8S_14 | resource | CronJob | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2444 | CKV_K8S_14 | resource | DaemonSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2445 | CKV_K8S_14 | resource | Deployment | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2446 | CKV_K8S_14 | resource | DeploymentConfig | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2447 | CKV_K8S_14 | resource | Job | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2448 | CKV_K8S_14 | resource | Pod | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2449 | CKV_K8S_14 | resource | PodTemplate | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2450 | CKV_K8S_14 | resource | ReplicaSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2451 | CKV_K8S_14 | resource | ReplicationController | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2452 | CKV_K8S_14 | resource | StatefulSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2453 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2454 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2455 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2456 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2457 | CKV_K8S_15 | resource | CronJob | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2458 | CKV_K8S_15 | resource | DaemonSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2459 | CKV_K8S_15 | resource | Deployment | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2460 | CKV_K8S_15 | resource | DeploymentConfig | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2461 | CKV_K8S_15 | resource | Job | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2462 | CKV_K8S_15 | resource | Pod | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2463 | CKV_K8S_15 | resource | PodTemplate | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2464 | CKV_K8S_15 | resource | ReplicaSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2465 | CKV_K8S_15 | resource | ReplicationController | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2466 | CKV_K8S_15 | resource | StatefulSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2467 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2468 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2469 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2470 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2471 | CKV_K8S_16 | resource | CronJob | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2472 | CKV_K8S_16 | resource | DaemonSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2473 | CKV_K8S_16 | resource | Deployment | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2474 | CKV_K8S_16 | resource | DeploymentConfig | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2475 | CKV_K8S_16 | resource | Job | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2476 | CKV_K8S_16 | resource | Pod | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2477 | CKV_K8S_16 | resource | PodTemplate | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2478 | CKV_K8S_16 | resource | ReplicaSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2479 | CKV_K8S_16 | resource | ReplicationController | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2480 | CKV_K8S_16 | resource | StatefulSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2481 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2482 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2483 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2484 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2485 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2486 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2487 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2488 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2489 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2490 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2491 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2492 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2493 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2494 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2495 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2496 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2497 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2498 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2499 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2500 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2501 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2502 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2503 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2504 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2505 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2506 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2507 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2508 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2509 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2510 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2511 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2512 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2513 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2514 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2515 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2516 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2517 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2518 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2519 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2520 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2521 | CKV_K8S_20 | resource | CronJob | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2522 | CKV_K8S_20 | resource | DaemonSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2523 | CKV_K8S_20 | resource | Deployment | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2524 | CKV_K8S_20 | resource | DeploymentConfig | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2525 | CKV_K8S_20 | resource | Job | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2526 | CKV_K8S_20 | resource | Pod | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2527 | CKV_K8S_20 | resource | PodTemplate | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2528 | CKV_K8S_20 | resource | ReplicaSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2529 | CKV_K8S_20 | resource | ReplicationController | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2530 | CKV_K8S_20 | resource | StatefulSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2531 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2532 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2533 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2534 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2535 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2536 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2537 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2538 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2539 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2540 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2541 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2542 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2543 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2544 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2545 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2546 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2547 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2548 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2549 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2550 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2551 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2552 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2553 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2554 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2555 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2556 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2557 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2558 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2559 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2560 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2561 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2562 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2563 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2564 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2565 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2566 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2567 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2568 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2569 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2570 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2571 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2572 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2573 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2574 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2575 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2576 | CKV_K8S_22 | resource | CronJob | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2577 | CKV_K8S_22 | resource | DaemonSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2578 | CKV_K8S_22 | resource | Deployment | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2579 | CKV_K8S_22 | resource | DeploymentConfig | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2580 | CKV_K8S_22 | resource | Job | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2581 | CKV_K8S_22 | resource | Pod | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2582 | CKV_K8S_22 | resource | PodTemplate | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2583 | CKV_K8S_22 | resource | ReplicaSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2584 | CKV_K8S_22 | resource | ReplicationController | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2585 | CKV_K8S_22 | resource | StatefulSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2586 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2587 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2588 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2589 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2590 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2591 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2592 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2593 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2594 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2595 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2596 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2597 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2598 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesPSP.py) | +| 2599 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | +| 2600 | CKV_K8S_25 | resource | CronJob | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2601 | CKV_K8S_25 | resource | DaemonSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2602 | CKV_K8S_25 | resource | Deployment | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2603 | CKV_K8S_25 | resource | DeploymentConfig | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2604 | CKV_K8S_25 | resource | Job | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2605 | CKV_K8S_25 | resource | Pod | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2606 | CKV_K8S_25 | resource | PodTemplate | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2607 | CKV_K8S_25 | resource | ReplicaSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2608 | CKV_K8S_25 | resource | ReplicationController | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2609 | CKV_K8S_25 | resource | StatefulSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2610 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2611 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2612 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2613 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2614 | CKV_K8S_26 | resource | CronJob | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2615 | CKV_K8S_26 | resource | DaemonSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2616 | CKV_K8S_26 | resource | Deployment | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2617 | CKV_K8S_26 | resource | DeploymentConfig | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2618 | CKV_K8S_26 | resource | Job | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2619 | CKV_K8S_26 | resource | Pod | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2620 | CKV_K8S_26 | resource | PodTemplate | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2621 | CKV_K8S_26 | resource | ReplicaSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2622 | CKV_K8S_26 | resource | ReplicationController | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2623 | CKV_K8S_26 | resource | StatefulSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2624 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2625 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2626 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2627 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2628 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2629 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2630 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2631 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2632 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2633 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2634 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2635 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2636 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2637 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2638 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2639 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2640 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2641 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2642 | CKV_K8S_28 | resource | CronJob | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2643 | CKV_K8S_28 | resource | DaemonSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2644 | CKV_K8S_28 | resource | Deployment | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2645 | CKV_K8S_28 | resource | DeploymentConfig | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2646 | CKV_K8S_28 | resource | Job | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2647 | CKV_K8S_28 | resource | Pod | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2648 | CKV_K8S_28 | resource | PodTemplate | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2649 | CKV_K8S_28 | resource | ReplicaSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2650 | CKV_K8S_28 | resource | ReplicationController | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2651 | CKV_K8S_28 | resource | StatefulSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2652 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2653 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2654 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2655 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2656 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2657 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2658 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2659 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2660 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2661 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2662 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2663 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2664 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2665 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2666 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2667 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2668 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2669 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2670 | CKV_K8S_30 | resource | CronJob | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2671 | CKV_K8S_30 | resource | DaemonSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2672 | CKV_K8S_30 | resource | Deployment | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2673 | CKV_K8S_30 | resource | DeploymentConfig | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2674 | CKV_K8S_30 | resource | Job | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2675 | CKV_K8S_30 | resource | Pod | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2676 | CKV_K8S_30 | resource | PodTemplate | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2677 | CKV_K8S_30 | resource | ReplicaSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2678 | CKV_K8S_30 | resource | ReplicationController | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2679 | CKV_K8S_30 | resource | StatefulSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2680 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2681 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2682 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2683 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2684 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2685 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2686 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2687 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2688 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2689 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2690 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2691 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2692 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py) | +| 2693 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | +| 2694 | CKV_K8S_33 | resource | CronJob | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2695 | CKV_K8S_33 | resource | DaemonSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2696 | CKV_K8S_33 | resource | Deployment | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2697 | CKV_K8S_33 | resource | DeploymentConfig | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2698 | CKV_K8S_33 | resource | Job | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2699 | CKV_K8S_33 | resource | Pod | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2700 | CKV_K8S_33 | resource | PodTemplate | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2701 | CKV_K8S_33 | resource | ReplicaSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2702 | CKV_K8S_33 | resource | ReplicationController | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2703 | CKV_K8S_33 | resource | StatefulSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2704 | CKV_K8S_34 | resource | CronJob | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2705 | CKV_K8S_34 | resource | DaemonSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2706 | CKV_K8S_34 | resource | Deployment | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2707 | CKV_K8S_34 | resource | DeploymentConfig | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2708 | CKV_K8S_34 | resource | Job | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2709 | CKV_K8S_34 | resource | Pod | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2710 | CKV_K8S_34 | resource | PodTemplate | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2711 | CKV_K8S_34 | resource | ReplicaSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2712 | CKV_K8S_34 | resource | ReplicationController | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2713 | CKV_K8S_34 | resource | StatefulSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2714 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2715 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2716 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2717 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2718 | CKV_K8S_35 | resource | CronJob | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2719 | CKV_K8S_35 | resource | DaemonSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2720 | CKV_K8S_35 | resource | Deployment | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2721 | CKV_K8S_35 | resource | DeploymentConfig | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2722 | CKV_K8S_35 | resource | Job | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2723 | CKV_K8S_35 | resource | Pod | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2724 | CKV_K8S_35 | resource | PodTemplate | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2725 | CKV_K8S_35 | resource | ReplicaSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2726 | CKV_K8S_35 | resource | ReplicationController | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2727 | CKV_K8S_35 | resource | StatefulSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2728 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2729 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2730 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2731 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2732 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py) | +| 2733 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | +| 2734 | CKV_K8S_37 | resource | CronJob | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2735 | CKV_K8S_37 | resource | DaemonSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2736 | CKV_K8S_37 | resource | Deployment | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2737 | CKV_K8S_37 | resource | DeploymentConfig | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2738 | CKV_K8S_37 | resource | Job | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2739 | CKV_K8S_37 | resource | Pod | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2740 | CKV_K8S_37 | resource | PodTemplate | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2741 | CKV_K8S_37 | resource | ReplicaSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2742 | CKV_K8S_37 | resource | ReplicationController | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2743 | CKV_K8S_37 | resource | StatefulSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2744 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2745 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2746 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2747 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2748 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2749 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2750 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2751 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2752 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2753 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2754 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2755 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2756 | CKV_K8S_39 | resource | CronJob | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2757 | CKV_K8S_39 | resource | DaemonSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2758 | CKV_K8S_39 | resource | Deployment | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2759 | CKV_K8S_39 | resource | DeploymentConfig | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2760 | CKV_K8S_39 | resource | Job | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2761 | CKV_K8S_39 | resource | Pod | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2762 | CKV_K8S_39 | resource | PodTemplate | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2763 | CKV_K8S_39 | resource | ReplicaSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2764 | CKV_K8S_39 | resource | ReplicationController | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2765 | CKV_K8S_39 | resource | StatefulSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2766 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2767 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2768 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2769 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2770 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2771 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2772 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2773 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2774 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2775 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2776 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2777 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2778 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccount.py) | +| 2779 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 2780 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 2781 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | +| 2782 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | +| 2783 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2784 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2785 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2786 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2787 | CKV_K8S_43 | resource | CronJob | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2788 | CKV_K8S_43 | resource | DaemonSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2789 | CKV_K8S_43 | resource | Deployment | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2790 | CKV_K8S_43 | resource | DeploymentConfig | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2791 | CKV_K8S_43 | resource | Job | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2792 | CKV_K8S_43 | resource | Pod | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2793 | CKV_K8S_43 | resource | PodTemplate | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2794 | CKV_K8S_43 | resource | ReplicaSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2795 | CKV_K8S_43 | resource | ReplicationController | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2796 | CKV_K8S_43 | resource | StatefulSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2797 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2798 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2799 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2800 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2801 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerService.py) | +| 2802 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 2803 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 2804 | CKV_K8S_45 | resource | CronJob | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2805 | CKV_K8S_45 | resource | DaemonSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2806 | CKV_K8S_45 | resource | Deployment | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2807 | CKV_K8S_45 | resource | DeploymentConfig | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2808 | CKV_K8S_45 | resource | Job | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2809 | CKV_K8S_45 | resource | Pod | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2810 | CKV_K8S_45 | resource | PodTemplate | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2811 | CKV_K8S_45 | resource | ReplicaSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2812 | CKV_K8S_45 | resource | ReplicationController | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2813 | CKV_K8S_45 | resource | StatefulSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2814 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | +| 2815 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | +| 2816 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2817 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2818 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2819 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2820 | CKV_K8S_68 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2821 | CKV_K8S_68 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2822 | CKV_K8S_68 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2823 | CKV_K8S_68 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2824 | CKV_K8S_68 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2825 | CKV_K8S_68 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2826 | CKV_K8S_68 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2827 | CKV_K8S_68 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2828 | CKV_K8S_68 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2829 | CKV_K8S_68 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2830 | CKV_K8S_69 | resource | CronJob | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2831 | CKV_K8S_69 | resource | DaemonSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2832 | CKV_K8S_69 | resource | Deployment | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2833 | CKV_K8S_69 | resource | DeploymentConfig | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2834 | CKV_K8S_69 | resource | Job | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2835 | CKV_K8S_69 | resource | Pod | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2836 | CKV_K8S_69 | resource | PodTemplate | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2837 | CKV_K8S_69 | resource | ReplicaSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2838 | CKV_K8S_69 | resource | ReplicationController | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2839 | CKV_K8S_69 | resource | StatefulSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2840 | CKV_K8S_70 | resource | CronJob | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2841 | CKV_K8S_70 | resource | DaemonSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2842 | CKV_K8S_70 | resource | Deployment | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2843 | CKV_K8S_70 | resource | DeploymentConfig | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2844 | CKV_K8S_70 | resource | Job | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2845 | CKV_K8S_70 | resource | Pod | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2846 | CKV_K8S_70 | resource | PodTemplate | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2847 | CKV_K8S_70 | resource | ReplicaSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2848 | CKV_K8S_70 | resource | ReplicationController | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2849 | CKV_K8S_70 | resource | StatefulSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2850 | CKV_K8S_71 | resource | CronJob | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2851 | CKV_K8S_71 | resource | DaemonSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2852 | CKV_K8S_71 | resource | Deployment | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2853 | CKV_K8S_71 | resource | DeploymentConfig | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2854 | CKV_K8S_71 | resource | Job | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2855 | CKV_K8S_71 | resource | Pod | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2856 | CKV_K8S_71 | resource | PodTemplate | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2857 | CKV_K8S_71 | resource | ReplicaSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2858 | CKV_K8S_71 | resource | ReplicationController | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2859 | CKV_K8S_71 | resource | StatefulSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2860 | CKV_K8S_72 | resource | CronJob | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2861 | CKV_K8S_72 | resource | DaemonSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2862 | CKV_K8S_72 | resource | Deployment | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2863 | CKV_K8S_72 | resource | DeploymentConfig | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2864 | CKV_K8S_72 | resource | Job | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2865 | CKV_K8S_72 | resource | Pod | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2866 | CKV_K8S_72 | resource | PodTemplate | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2867 | CKV_K8S_72 | resource | ReplicaSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2868 | CKV_K8S_72 | resource | ReplicationController | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2869 | CKV_K8S_72 | resource | StatefulSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2870 | CKV_K8S_73 | resource | CronJob | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2871 | CKV_K8S_73 | resource | DaemonSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2872 | CKV_K8S_73 | resource | Deployment | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2873 | CKV_K8S_73 | resource | DeploymentConfig | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2874 | CKV_K8S_73 | resource | Job | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2875 | CKV_K8S_73 | resource | Pod | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2876 | CKV_K8S_73 | resource | PodTemplate | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2877 | CKV_K8S_73 | resource | ReplicaSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2878 | CKV_K8S_73 | resource | ReplicationController | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2879 | CKV_K8S_73 | resource | StatefulSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2880 | CKV_K8S_74 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2881 | CKV_K8S_74 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2882 | CKV_K8S_74 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2883 | CKV_K8S_74 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2884 | CKV_K8S_74 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2885 | CKV_K8S_74 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2886 | CKV_K8S_74 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2887 | CKV_K8S_74 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2888 | CKV_K8S_74 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2889 | CKV_K8S_74 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2890 | CKV_K8S_75 | resource | CronJob | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2891 | CKV_K8S_75 | resource | DaemonSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2892 | CKV_K8S_75 | resource | Deployment | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2893 | CKV_K8S_75 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2894 | CKV_K8S_75 | resource | Job | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2895 | CKV_K8S_75 | resource | Pod | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2896 | CKV_K8S_75 | resource | PodTemplate | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2897 | CKV_K8S_75 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2898 | CKV_K8S_75 | resource | ReplicationController | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2899 | CKV_K8S_75 | resource | StatefulSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2900 | CKV_K8S_77 | resource | CronJob | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2901 | CKV_K8S_77 | resource | DaemonSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2902 | CKV_K8S_77 | resource | Deployment | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2903 | CKV_K8S_77 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2904 | CKV_K8S_77 | resource | Job | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2905 | CKV_K8S_77 | resource | Pod | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2906 | CKV_K8S_77 | resource | PodTemplate | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2907 | CKV_K8S_77 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2908 | CKV_K8S_77 | resource | ReplicationController | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2909 | CKV_K8S_77 | resource | StatefulSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2910 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | [ApiServerAdmissionControlEventRateLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlEventRateLimit.py) | +| 2911 | CKV_K8S_79 | resource | CronJob | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2912 | CKV_K8S_79 | resource | DaemonSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2913 | CKV_K8S_79 | resource | Deployment | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2914 | CKV_K8S_79 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2915 | CKV_K8S_79 | resource | Job | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2916 | CKV_K8S_79 | resource | Pod | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2917 | CKV_K8S_79 | resource | PodTemplate | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2918 | CKV_K8S_79 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2919 | CKV_K8S_79 | resource | ReplicationController | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2920 | CKV_K8S_79 | resource | StatefulSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2921 | CKV_K8S_80 | resource | CronJob | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2922 | CKV_K8S_80 | resource | DaemonSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2923 | CKV_K8S_80 | resource | Deployment | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2924 | CKV_K8S_80 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2925 | CKV_K8S_80 | resource | Job | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2926 | CKV_K8S_80 | resource | Pod | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2927 | CKV_K8S_80 | resource | PodTemplate | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2928 | CKV_K8S_80 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2929 | CKV_K8S_80 | resource | ReplicationController | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2930 | CKV_K8S_80 | resource | StatefulSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2931 | CKV_K8S_81 | resource | CronJob | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2932 | CKV_K8S_81 | resource | DaemonSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2933 | CKV_K8S_81 | resource | Deployment | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2934 | CKV_K8S_81 | resource | DeploymentConfig | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2935 | CKV_K8S_81 | resource | Job | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2936 | CKV_K8S_81 | resource | Pod | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2937 | CKV_K8S_81 | resource | PodTemplate | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2938 | CKV_K8S_81 | resource | ReplicaSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2939 | CKV_K8S_81 | resource | ReplicationController | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2940 | CKV_K8S_81 | resource | StatefulSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2941 | CKV_K8S_82 | resource | CronJob | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2942 | CKV_K8S_82 | resource | DaemonSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2943 | CKV_K8S_82 | resource | Deployment | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2944 | CKV_K8S_82 | resource | DeploymentConfig | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2945 | CKV_K8S_82 | resource | Job | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2946 | CKV_K8S_82 | resource | Pod | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2947 | CKV_K8S_82 | resource | PodTemplate | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2948 | CKV_K8S_82 | resource | ReplicaSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2949 | CKV_K8S_82 | resource | ReplicationController | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2950 | CKV_K8S_82 | resource | StatefulSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2951 | CKV_K8S_83 | resource | CronJob | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2952 | CKV_K8S_83 | resource | DaemonSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2953 | CKV_K8S_83 | resource | Deployment | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2954 | CKV_K8S_83 | resource | DeploymentConfig | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2955 | CKV_K8S_83 | resource | Job | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2956 | CKV_K8S_83 | resource | Pod | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2957 | CKV_K8S_83 | resource | PodTemplate | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2958 | CKV_K8S_83 | resource | ReplicaSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2959 | CKV_K8S_83 | resource | ReplicationController | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2960 | CKV_K8S_83 | resource | StatefulSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2961 | CKV_K8S_84 | resource | CronJob | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2962 | CKV_K8S_84 | resource | DaemonSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2963 | CKV_K8S_84 | resource | Deployment | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2964 | CKV_K8S_84 | resource | DeploymentConfig | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2965 | CKV_K8S_84 | resource | Job | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2966 | CKV_K8S_84 | resource | Pod | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2967 | CKV_K8S_84 | resource | PodTemplate | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2968 | CKV_K8S_84 | resource | ReplicaSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2969 | CKV_K8S_84 | resource | ReplicationController | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2970 | CKV_K8S_84 | resource | StatefulSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2971 | CKV_K8S_85 | resource | CronJob | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2972 | CKV_K8S_85 | resource | DaemonSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2973 | CKV_K8S_85 | resource | Deployment | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2974 | CKV_K8S_85 | resource | DeploymentConfig | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2975 | CKV_K8S_85 | resource | Job | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2976 | CKV_K8S_85 | resource | Pod | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2977 | CKV_K8S_85 | resource | PodTemplate | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2978 | CKV_K8S_85 | resource | ReplicaSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2979 | CKV_K8S_85 | resource | ReplicationController | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2980 | CKV_K8S_85 | resource | StatefulSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2981 | CKV_K8S_86 | resource | CronJob | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2982 | CKV_K8S_86 | resource | DaemonSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2983 | CKV_K8S_86 | resource | Deployment | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2984 | CKV_K8S_86 | resource | DeploymentConfig | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2985 | CKV_K8S_86 | resource | Job | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2986 | CKV_K8S_86 | resource | Pod | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2987 | CKV_K8S_86 | resource | PodTemplate | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2988 | CKV_K8S_86 | resource | ReplicaSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2989 | CKV_K8S_86 | resource | ReplicationController | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2990 | CKV_K8S_86 | resource | StatefulSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 2991 | CKV_K8S_88 | resource | CronJob | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 2992 | CKV_K8S_88 | resource | DaemonSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 2993 | CKV_K8S_88 | resource | Deployment | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 2994 | CKV_K8S_88 | resource | DeploymentConfig | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 2995 | CKV_K8S_88 | resource | Job | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 2996 | CKV_K8S_88 | resource | Pod | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 2997 | CKV_K8S_88 | resource | PodTemplate | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 2998 | CKV_K8S_88 | resource | ReplicaSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 2999 | CKV_K8S_88 | resource | ReplicationController | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3000 | CKV_K8S_88 | resource | StatefulSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3001 | CKV_K8S_89 | resource | CronJob | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3002 | CKV_K8S_89 | resource | DaemonSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3003 | CKV_K8S_89 | resource | Deployment | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3004 | CKV_K8S_89 | resource | DeploymentConfig | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3005 | CKV_K8S_89 | resource | Job | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3006 | CKV_K8S_89 | resource | Pod | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3007 | CKV_K8S_89 | resource | PodTemplate | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3008 | CKV_K8S_89 | resource | ReplicaSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3009 | CKV_K8S_89 | resource | ReplicationController | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3010 | CKV_K8S_89 | resource | StatefulSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3011 | CKV_K8S_90 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3012 | CKV_K8S_90 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3013 | CKV_K8S_90 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3014 | CKV_K8S_90 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3015 | CKV_K8S_90 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3016 | CKV_K8S_90 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3017 | CKV_K8S_90 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3018 | CKV_K8S_90 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3019 | CKV_K8S_90 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3020 | CKV_K8S_90 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3021 | CKV_K8S_91 | resource | CronJob | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3022 | CKV_K8S_91 | resource | DaemonSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3023 | CKV_K8S_91 | resource | Deployment | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3024 | CKV_K8S_91 | resource | DeploymentConfig | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3025 | CKV_K8S_91 | resource | Job | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3026 | CKV_K8S_91 | resource | Pod | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3027 | CKV_K8S_91 | resource | PodTemplate | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3028 | CKV_K8S_91 | resource | ReplicaSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3029 | CKV_K8S_91 | resource | ReplicationController | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3030 | CKV_K8S_91 | resource | StatefulSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3031 | CKV_K8S_92 | resource | CronJob | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3032 | CKV_K8S_92 | resource | DaemonSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3033 | CKV_K8S_92 | resource | Deployment | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3034 | CKV_K8S_92 | resource | DeploymentConfig | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3035 | CKV_K8S_92 | resource | Job | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3036 | CKV_K8S_92 | resource | Pod | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3037 | CKV_K8S_92 | resource | PodTemplate | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3038 | CKV_K8S_92 | resource | ReplicaSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3039 | CKV_K8S_92 | resource | ReplicationController | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3040 | CKV_K8S_92 | resource | StatefulSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3041 | CKV_K8S_93 | resource | CronJob | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3042 | CKV_K8S_93 | resource | DaemonSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3043 | CKV_K8S_93 | resource | Deployment | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3044 | CKV_K8S_93 | resource | DeploymentConfig | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3045 | CKV_K8S_93 | resource | Job | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3046 | CKV_K8S_93 | resource | Pod | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3047 | CKV_K8S_93 | resource | PodTemplate | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3048 | CKV_K8S_93 | resource | ReplicaSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3049 | CKV_K8S_93 | resource | ReplicationController | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3050 | CKV_K8S_93 | resource | StatefulSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3051 | CKV_K8S_94 | resource | CronJob | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3052 | CKV_K8S_94 | resource | DaemonSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3053 | CKV_K8S_94 | resource | Deployment | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3054 | CKV_K8S_94 | resource | DeploymentConfig | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3055 | CKV_K8S_94 | resource | Job | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3056 | CKV_K8S_94 | resource | Pod | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3057 | CKV_K8S_94 | resource | PodTemplate | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3058 | CKV_K8S_94 | resource | ReplicaSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3059 | CKV_K8S_94 | resource | ReplicationController | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3060 | CKV_K8S_94 | resource | StatefulSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3061 | CKV_K8S_95 | resource | CronJob | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3062 | CKV_K8S_95 | resource | DaemonSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3063 | CKV_K8S_95 | resource | Deployment | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3064 | CKV_K8S_95 | resource | DeploymentConfig | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3065 | CKV_K8S_95 | resource | Job | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3066 | CKV_K8S_95 | resource | Pod | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3067 | CKV_K8S_95 | resource | PodTemplate | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3068 | CKV_K8S_95 | resource | ReplicaSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3069 | CKV_K8S_95 | resource | ReplicationController | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3070 | CKV_K8S_95 | resource | StatefulSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3071 | CKV_K8S_96 | resource | CronJob | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3072 | CKV_K8S_96 | resource | DaemonSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3073 | CKV_K8S_96 | resource | Deployment | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3074 | CKV_K8S_96 | resource | DeploymentConfig | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3075 | CKV_K8S_96 | resource | Job | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3076 | CKV_K8S_96 | resource | Pod | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3077 | CKV_K8S_96 | resource | PodTemplate | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3078 | CKV_K8S_96 | resource | ReplicaSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3079 | CKV_K8S_96 | resource | ReplicationController | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3080 | CKV_K8S_96 | resource | StatefulSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3081 | CKV_K8S_97 | resource | CronJob | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3082 | CKV_K8S_97 | resource | DaemonSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3083 | CKV_K8S_97 | resource | Deployment | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3084 | CKV_K8S_97 | resource | DeploymentConfig | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3085 | CKV_K8S_97 | resource | Job | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3086 | CKV_K8S_97 | resource | Pod | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3087 | CKV_K8S_97 | resource | PodTemplate | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3088 | CKV_K8S_97 | resource | ReplicaSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3089 | CKV_K8S_97 | resource | ReplicationController | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3090 | CKV_K8S_97 | resource | StatefulSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3091 | CKV_K8S_99 | resource | CronJob | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3092 | CKV_K8S_99 | resource | DaemonSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3093 | CKV_K8S_99 | resource | Deployment | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3094 | CKV_K8S_99 | resource | DeploymentConfig | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3095 | CKV_K8S_99 | resource | Job | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3096 | CKV_K8S_99 | resource | Pod | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3097 | CKV_K8S_99 | resource | PodTemplate | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3098 | CKV_K8S_99 | resource | ReplicaSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3099 | CKV_K8S_99 | resource | ReplicationController | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3100 | CKV_K8S_99 | resource | StatefulSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3101 | CKV_K8S_100 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3102 | CKV_K8S_100 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3103 | CKV_K8S_100 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3104 | CKV_K8S_100 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3105 | CKV_K8S_100 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3106 | CKV_K8S_100 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3107 | CKV_K8S_100 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3108 | CKV_K8S_100 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3109 | CKV_K8S_100 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3110 | CKV_K8S_100 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3111 | CKV_K8S_102 | resource | CronJob | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3112 | CKV_K8S_102 | resource | DaemonSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3113 | CKV_K8S_102 | resource | Deployment | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3114 | CKV_K8S_102 | resource | DeploymentConfig | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3115 | CKV_K8S_102 | resource | Job | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3116 | CKV_K8S_102 | resource | Pod | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3117 | CKV_K8S_102 | resource | PodTemplate | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3118 | CKV_K8S_102 | resource | ReplicaSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3119 | CKV_K8S_102 | resource | ReplicationController | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3120 | CKV_K8S_102 | resource | StatefulSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3121 | CKV_K8S_104 | resource | CronJob | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3122 | CKV_K8S_104 | resource | DaemonSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3123 | CKV_K8S_104 | resource | Deployment | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3124 | CKV_K8S_104 | resource | DeploymentConfig | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3125 | CKV_K8S_104 | resource | Job | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3126 | CKV_K8S_104 | resource | Pod | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3127 | CKV_K8S_104 | resource | PodTemplate | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3128 | CKV_K8S_104 | resource | ReplicaSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3129 | CKV_K8S_104 | resource | ReplicationController | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3130 | CKV_K8S_104 | resource | StatefulSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3131 | CKV_K8S_105 | resource | CronJob | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3132 | CKV_K8S_105 | resource | DaemonSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3133 | CKV_K8S_105 | resource | Deployment | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3134 | CKV_K8S_105 | resource | DeploymentConfig | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3135 | CKV_K8S_105 | resource | Job | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3136 | CKV_K8S_105 | resource | Pod | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3137 | CKV_K8S_105 | resource | PodTemplate | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3138 | CKV_K8S_105 | resource | ReplicaSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3139 | CKV_K8S_105 | resource | ReplicationController | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3140 | CKV_K8S_105 | resource | StatefulSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3141 | CKV_K8S_106 | resource | CronJob | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3142 | CKV_K8S_106 | resource | DaemonSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3143 | CKV_K8S_106 | resource | Deployment | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3144 | CKV_K8S_106 | resource | DeploymentConfig | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3145 | CKV_K8S_106 | resource | Job | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3146 | CKV_K8S_106 | resource | Pod | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3147 | CKV_K8S_106 | resource | PodTemplate | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3148 | CKV_K8S_106 | resource | ReplicaSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3149 | CKV_K8S_106 | resource | ReplicationController | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3150 | CKV_K8S_106 | resource | StatefulSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3151 | CKV_K8S_107 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3152 | CKV_K8S_107 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3153 | CKV_K8S_107 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3154 | CKV_K8S_107 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3155 | CKV_K8S_107 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3156 | CKV_K8S_107 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3157 | CKV_K8S_107 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3158 | CKV_K8S_107 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3159 | CKV_K8S_107 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3160 | CKV_K8S_107 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3161 | CKV_K8S_108 | resource | CronJob | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3162 | CKV_K8S_108 | resource | DaemonSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3163 | CKV_K8S_108 | resource | Deployment | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3164 | CKV_K8S_108 | resource | DeploymentConfig | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3165 | CKV_K8S_108 | resource | Job | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3166 | CKV_K8S_108 | resource | Pod | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3167 | CKV_K8S_108 | resource | PodTemplate | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3168 | CKV_K8S_108 | resource | ReplicaSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3169 | CKV_K8S_108 | resource | ReplicationController | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3170 | CKV_K8S_108 | resource | StatefulSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3171 | CKV_K8S_110 | resource | CronJob | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3172 | CKV_K8S_110 | resource | DaemonSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3173 | CKV_K8S_110 | resource | Deployment | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3174 | CKV_K8S_110 | resource | DeploymentConfig | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3175 | CKV_K8S_110 | resource | Job | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3176 | CKV_K8S_110 | resource | Pod | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3177 | CKV_K8S_110 | resource | PodTemplate | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3178 | CKV_K8S_110 | resource | ReplicaSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3179 | CKV_K8S_110 | resource | ReplicationController | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3180 | CKV_K8S_110 | resource | StatefulSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3181 | CKV_K8S_111 | resource | CronJob | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3182 | CKV_K8S_111 | resource | DaemonSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3183 | CKV_K8S_111 | resource | Deployment | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3184 | CKV_K8S_111 | resource | DeploymentConfig | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3185 | CKV_K8S_111 | resource | Job | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3186 | CKV_K8S_111 | resource | Pod | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3187 | CKV_K8S_111 | resource | PodTemplate | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3188 | CKV_K8S_111 | resource | ReplicaSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3189 | CKV_K8S_111 | resource | ReplicationController | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3190 | CKV_K8S_111 | resource | StatefulSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3191 | CKV_K8S_112 | resource | CronJob | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3192 | CKV_K8S_112 | resource | DaemonSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3193 | CKV_K8S_112 | resource | Deployment | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3194 | CKV_K8S_112 | resource | DeploymentConfig | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3195 | CKV_K8S_112 | resource | Job | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3196 | CKV_K8S_112 | resource | Pod | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3197 | CKV_K8S_112 | resource | PodTemplate | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3198 | CKV_K8S_112 | resource | ReplicaSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3199 | CKV_K8S_112 | resource | ReplicationController | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3200 | CKV_K8S_112 | resource | StatefulSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3201 | CKV_K8S_113 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3202 | CKV_K8S_113 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3203 | CKV_K8S_113 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3204 | CKV_K8S_113 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3205 | CKV_K8S_113 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3206 | CKV_K8S_113 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3207 | CKV_K8S_113 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3208 | CKV_K8S_113 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3209 | CKV_K8S_113 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3210 | CKV_K8S_113 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3211 | CKV_K8S_114 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3212 | CKV_K8S_114 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3213 | CKV_K8S_114 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3214 | CKV_K8S_114 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3215 | CKV_K8S_114 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3216 | CKV_K8S_114 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3217 | CKV_K8S_114 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3218 | CKV_K8S_114 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3219 | CKV_K8S_114 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3220 | CKV_K8S_114 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3221 | CKV_K8S_115 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3222 | CKV_K8S_115 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3223 | CKV_K8S_115 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3224 | CKV_K8S_115 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3225 | CKV_K8S_115 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3226 | CKV_K8S_115 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3227 | CKV_K8S_115 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3228 | CKV_K8S_115 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3229 | CKV_K8S_115 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3230 | CKV_K8S_115 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3231 | CKV_K8S_116 | resource | CronJob | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3232 | CKV_K8S_116 | resource | DaemonSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3233 | CKV_K8S_116 | resource | Deployment | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3234 | CKV_K8S_116 | resource | DeploymentConfig | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3235 | CKV_K8S_116 | resource | Job | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3236 | CKV_K8S_116 | resource | Pod | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3237 | CKV_K8S_116 | resource | PodTemplate | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3238 | CKV_K8S_116 | resource | ReplicaSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3239 | CKV_K8S_116 | resource | ReplicationController | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3240 | CKV_K8S_116 | resource | StatefulSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3241 | CKV_K8S_117 | resource | CronJob | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3242 | CKV_K8S_117 | resource | DaemonSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3243 | CKV_K8S_117 | resource | Deployment | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3244 | CKV_K8S_117 | resource | DeploymentConfig | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3245 | CKV_K8S_117 | resource | Job | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3246 | CKV_K8S_117 | resource | Pod | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3247 | CKV_K8S_117 | resource | PodTemplate | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3248 | CKV_K8S_117 | resource | ReplicaSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3249 | CKV_K8S_117 | resource | ReplicationController | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3250 | CKV_K8S_117 | resource | StatefulSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3251 | CKV_K8S_118 | resource | CronJob | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3252 | CKV_K8S_118 | resource | DaemonSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3253 | CKV_K8S_118 | resource | Deployment | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3254 | CKV_K8S_118 | resource | DeploymentConfig | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3255 | CKV_K8S_118 | resource | Job | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3256 | CKV_K8S_118 | resource | Pod | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3257 | CKV_K8S_118 | resource | PodTemplate | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3258 | CKV_K8S_118 | resource | ReplicaSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3259 | CKV_K8S_118 | resource | ReplicationController | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3260 | CKV_K8S_118 | resource | StatefulSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3261 | CKV_K8S_119 | resource | CronJob | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3262 | CKV_K8S_119 | resource | DaemonSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3263 | CKV_K8S_119 | resource | Deployment | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3264 | CKV_K8S_119 | resource | DeploymentConfig | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3265 | CKV_K8S_119 | resource | Job | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3266 | CKV_K8S_119 | resource | Pod | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3267 | CKV_K8S_119 | resource | PodTemplate | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3268 | CKV_K8S_119 | resource | ReplicaSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3269 | CKV_K8S_119 | resource | ReplicationController | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3270 | CKV_K8S_119 | resource | StatefulSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3271 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | [PeerClientCertAuthTrue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py) | +| 3272 | CKV_K8S_138 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3273 | CKV_K8S_138 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3274 | CKV_K8S_138 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3275 | CKV_K8S_138 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3276 | CKV_K8S_138 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3277 | CKV_K8S_138 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3278 | CKV_K8S_138 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3279 | CKV_K8S_138 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3280 | CKV_K8S_138 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3281 | CKV_K8S_138 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3282 | CKV_K8S_139 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3283 | CKV_K8S_139 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3284 | CKV_K8S_139 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3285 | CKV_K8S_139 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3286 | CKV_K8S_139 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3287 | CKV_K8S_139 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3288 | CKV_K8S_139 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3289 | CKV_K8S_139 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3290 | CKV_K8S_139 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3291 | CKV_K8S_139 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3292 | CKV_K8S_140 | resource | CronJob | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3293 | CKV_K8S_140 | resource | DaemonSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3294 | CKV_K8S_140 | resource | Deployment | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3295 | CKV_K8S_140 | resource | DeploymentConfig | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3296 | CKV_K8S_140 | resource | Job | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3297 | CKV_K8S_140 | resource | Pod | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3298 | CKV_K8S_140 | resource | PodTemplate | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3299 | CKV_K8S_140 | resource | ReplicaSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3300 | CKV_K8S_140 | resource | ReplicationController | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3301 | CKV_K8S_140 | resource | StatefulSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3302 | CKV_K8S_141 | resource | CronJob | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3303 | CKV_K8S_141 | resource | DaemonSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3304 | CKV_K8S_141 | resource | Deployment | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3305 | CKV_K8S_141 | resource | DeploymentConfig | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3306 | CKV_K8S_141 | resource | Job | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3307 | CKV_K8S_141 | resource | Pod | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3308 | CKV_K8S_141 | resource | PodTemplate | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3309 | CKV_K8S_141 | resource | ReplicaSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3310 | CKV_K8S_141 | resource | ReplicationController | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3311 | CKV_K8S_141 | resource | StatefulSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3312 | CKV_K8S_143 | resource | CronJob | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3313 | CKV_K8S_143 | resource | DaemonSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3314 | CKV_K8S_143 | resource | Deployment | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3315 | CKV_K8S_143 | resource | DeploymentConfig | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3316 | CKV_K8S_143 | resource | Job | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3317 | CKV_K8S_143 | resource | Pod | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3318 | CKV_K8S_143 | resource | PodTemplate | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3319 | CKV_K8S_143 | resource | ReplicaSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3320 | CKV_K8S_143 | resource | ReplicationController | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3321 | CKV_K8S_143 | resource | StatefulSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3322 | CKV_K8S_144 | resource | CronJob | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3323 | CKV_K8S_144 | resource | DaemonSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3324 | CKV_K8S_144 | resource | Deployment | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3325 | CKV_K8S_144 | resource | DeploymentConfig | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3326 | CKV_K8S_144 | resource | Job | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3327 | CKV_K8S_144 | resource | Pod | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3328 | CKV_K8S_144 | resource | PodTemplate | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3329 | CKV_K8S_144 | resource | ReplicaSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3330 | CKV_K8S_144 | resource | ReplicationController | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3331 | CKV_K8S_144 | resource | StatefulSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3332 | CKV_K8S_145 | resource | CronJob | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3333 | CKV_K8S_145 | resource | DaemonSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3334 | CKV_K8S_145 | resource | Deployment | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3335 | CKV_K8S_145 | resource | DeploymentConfig | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3336 | CKV_K8S_145 | resource | Job | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3337 | CKV_K8S_145 | resource | Pod | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3338 | CKV_K8S_145 | resource | PodTemplate | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3339 | CKV_K8S_145 | resource | ReplicaSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3340 | CKV_K8S_145 | resource | ReplicationController | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3341 | CKV_K8S_145 | resource | StatefulSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3342 | CKV_K8S_146 | resource | CronJob | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3343 | CKV_K8S_146 | resource | DaemonSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3344 | CKV_K8S_146 | resource | Deployment | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3345 | CKV_K8S_146 | resource | DeploymentConfig | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3346 | CKV_K8S_146 | resource | Job | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3347 | CKV_K8S_146 | resource | Pod | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3348 | CKV_K8S_146 | resource | PodTemplate | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3349 | CKV_K8S_146 | resource | ReplicaSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3350 | CKV_K8S_146 | resource | ReplicationController | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3351 | CKV_K8S_146 | resource | StatefulSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3352 | CKV_K8S_147 | resource | CronJob | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3353 | CKV_K8S_147 | resource | DaemonSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3354 | CKV_K8S_147 | resource | Deployment | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3355 | CKV_K8S_147 | resource | DeploymentConfig | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3356 | CKV_K8S_147 | resource | Job | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3357 | CKV_K8S_147 | resource | Pod | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3358 | CKV_K8S_147 | resource | PodTemplate | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3359 | CKV_K8S_147 | resource | ReplicaSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3360 | CKV_K8S_147 | resource | ReplicationController | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3361 | CKV_K8S_147 | resource | StatefulSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3362 | CKV_K8S_148 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3363 | CKV_K8S_148 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3364 | CKV_K8S_148 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3365 | CKV_K8S_148 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3366 | CKV_K8S_148 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3367 | CKV_K8S_148 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3368 | CKV_K8S_148 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3369 | CKV_K8S_148 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3370 | CKV_K8S_148 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3371 | CKV_K8S_148 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3372 | CKV_K8S_149 | resource | CronJob | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3373 | CKV_K8S_149 | resource | DaemonSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3374 | CKV_K8S_149 | resource | Deployment | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3375 | CKV_K8S_149 | resource | DeploymentConfig | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3376 | CKV_K8S_149 | resource | Job | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3377 | CKV_K8S_149 | resource | Pod | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3378 | CKV_K8S_149 | resource | PodTemplate | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3379 | CKV_K8S_149 | resource | ReplicaSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3380 | CKV_K8S_149 | resource | ReplicationController | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3381 | CKV_K8S_149 | resource | StatefulSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3382 | CKV_K8S_151 | resource | CronJob | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3383 | CKV_K8S_151 | resource | DaemonSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3384 | CKV_K8S_151 | resource | Deployment | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3385 | CKV_K8S_151 | resource | DeploymentConfig | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3386 | CKV_K8S_151 | resource | Job | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3387 | CKV_K8S_151 | resource | Pod | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3388 | CKV_K8S_151 | resource | PodTemplate | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3389 | CKV_K8S_151 | resource | ReplicaSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3390 | CKV_K8S_151 | resource | ReplicationController | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3391 | CKV_K8S_151 | resource | StatefulSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3392 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Lua.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py) | +| 3393 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742AllSnippets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py) | +| 3394 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Alias.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py) | +| 3395 | CKV_K8S_155 | resource | ClusterRole | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | Kubernetes | [RbacControlWebhooks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py) | +| 3396 | CKV_K8S_156 | resource | ClusterRole | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | Kubernetes | [RbacApproveCertificateSigningRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py) | +| 3397 | CKV_K8S_157 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | +| 3398 | CKV_K8S_157 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | +| 3399 | CKV_K8S_158 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | +| 3400 | CKV_K8S_158 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | +| 3401 | CKV2_K8S_1 | resource | ClusterRole | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3402 | CKV2_K8S_1 | resource | ClusterRoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3403 | CKV2_K8S_1 | resource | Role | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3404 | CKV2_K8S_1 | resource | RoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3405 | CKV2_K8S_2 | resource | ClusterRole | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3406 | CKV2_K8S_2 | resource | ClusterRoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3407 | CKV2_K8S_2 | resource | Role | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3408 | CKV2_K8S_2 | resource | RoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3409 | CKV2_K8S_3 | resource | ClusterRole | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3410 | CKV2_K8S_3 | resource | ClusterRoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3411 | CKV2_K8S_3 | resource | Role | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3412 | CKV2_K8S_3 | resource | RoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3413 | CKV2_K8S_4 | resource | ClusterRole | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3414 | CKV2_K8S_4 | resource | ClusterRoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3415 | CKV2_K8S_4 | resource | Role | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3416 | CKV2_K8S_4 | resource | RoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3417 | CKV2_K8S_5 | resource | ClusterRole | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3418 | CKV2_K8S_5 | resource | ClusterRoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3419 | CKV2_K8S_5 | resource | Role | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3420 | CKV2_K8S_5 | resource | RoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3421 | CKV2_K8S_6 | resource | Deployment | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | +| 3422 | CKV2_K8S_6 | resource | Pod | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | +| 3423 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | +| 3424 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | +| 3425 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | +| 3426 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | +| 3427 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | +| 3428 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | +| 3429 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | +| 3430 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 3431 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 3432 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | +| 3433 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | +| 3434 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | +| 3435 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | +| 3436 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | +| 3437 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | +| 3438 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | +| 3439 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | +| 3440 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | +| 3441 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | +| 3442 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | +| 3443 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | +| 3444 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | +| 3445 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | +| 3446 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 3447 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 3448 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | +| 3449 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | +| 3450 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | +| 3451 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 3452 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 3453 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | +| 3454 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | +| 3455 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | +| 3456 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | +| 3457 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | +| 3458 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | +| 3459 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | +| 3460 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | +| 3461 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | +| 3462 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | +| 3463 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | +| 3464 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | +| 3465 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | +| 3466 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | +| 3467 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | +| 3468 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | +| 3469 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | +| 3470 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | +| 3471 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | +| 3472 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | +| 3473 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | +| 3474 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | +| 3475 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | +| 3476 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | +| 3477 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | +| 3478 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | +| 3479 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3480 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3481 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3482 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | +| 3483 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | +| 3484 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | +| 3485 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | +| 3486 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | +| 3487 | CKV_OPENAPI_1 | resource | securityDefinitions | Ensure that securityDefinitions is defined and not empty - version 2.0 files | OpenAPI | [SecurityDefinitions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitions.py) | +| 3488 | CKV_OPENAPI_2 | resource | security | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files | OpenAPI | [Oauth2SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityRequirement.py) | +| 3489 | CKV_OPENAPI_3 | resource | components | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files | OpenAPI | [CleartextOverUnencryptedChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py) | +| 3490 | CKV_OPENAPI_4 | resource | security | Ensure that the global security field has rules defined | OpenAPI | [GlobalSecurityFieldIsEmpty.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/GlobalSecurityFieldIsEmpty.py) | +| 3491 | CKV_OPENAPI_5 | resource | security | Ensure that security operations is not empty. | OpenAPI | [SecurityOperations.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/SecurityOperations.py) | +| 3492 | CKV_OPENAPI_6 | resource | security | Ensure that security requirement defined in securityDefinitions - version 2.0 files | OpenAPI | [SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityRequirement.py) | +| 3493 | CKV_OPENAPI_7 | resource | security | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files | OpenAPI | [PathSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/PathSchemeDefineHTTP.py) | +| 3494 | CKV_OPENAPI_8 | resource | security | Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityPasswordFlow.py) | +| 3495 | CKV_OPENAPI_9 | resource | paths | Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files | OpenAPI | [OperationObjectSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py) | +| 3496 | CKV_OPENAPI_10 | resource | paths | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2OperationObjectPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2OperationObjectPasswordFlow.py) | +| 3497 | CKV_OPENAPI_11 | resource | securityDefinitions | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionPasswordFlow.py) | +| 3498 | CKV_OPENAPI_12 | resource | securityDefinitions | Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionImplicitFlow.py) | +| 3499 | CKV_OPENAPI_13 | resource | securityDefinitions | Ensure security definitions do not use basic auth - version 2.0 files | OpenAPI | [SecurityDefinitionBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitionBasicAuth.py) | +| 3500 | CKV_OPENAPI_14 | resource | paths | Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files | OpenAPI | [OperationObjectImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectImplicitFlow.py) | +| 3501 | CKV_OPENAPI_15 | resource | paths | Ensure that operation objects do not use basic auth - version 2.0 files | OpenAPI | [OperationObjectBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectBasicAuth.py) | +| 3502 | CKV_OPENAPI_16 | resource | paths | Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files | OpenAPI | [OperationObjectProducesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectProducesUndefined.py) | +| 3503 | CKV_OPENAPI_17 | resource | paths | Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files | OpenAPI | [OperationObjectConsumesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectConsumesUndefined.py) | +| 3504 | CKV_OPENAPI_18 | resource | schemes | Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files | OpenAPI | [GlobalSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSchemeDefineHTTP.py) | +| 3505 | CKV_OPENAPI_19 | resource | security | Ensure that global security scope is defined in securityDefinitions - version 2.0 files | OpenAPI | [GlobalSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSecurityScopeUndefined.py) | +| 3506 | CKV_OPENAPI_20 | resource | paths | Ensure that API keys are not sent over cleartext | OpenAPI | [ClearTextAPIKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py) | +| 3507 | CKV_OPENAPI_21 | resource | paths | Ensure that arrays have a maximum number of items | OpenAPI | [NoMaximumNumberItems.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/NoMaximumNumberItems.py) | +| 3508 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | +| 3509 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 3510 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 3511 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 3512 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 3513 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | +| 3514 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | +| 3515 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | +| 3516 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | +| 3517 | CKV_PAN_2 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoHTTP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml) | +| 3518 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | +| 3519 | CKV_PAN_3 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoTelnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml) | +| 3520 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 3521 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 3522 | CKV_PAN_4 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure DSRI is not enabled within security policies | Ansible | [PanosPolicyNoDSRI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml) | +| 3523 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 3524 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 3525 | CKV_PAN_5 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'application' set to 'any' | Ansible | [PanosPolicyNoApplicationAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml) | +| 3526 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 3527 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 3528 | CKV_PAN_6 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'service' set to 'any' | Ansible | [PanosPolicyNoServiceAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml) | +| 3529 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 3530 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 3531 | CKV_PAN_7 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any' | Ansible | [PanosPolicyNoSrcAnyDstAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml) | +| 3532 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 3533 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 3534 | CKV_PAN_8 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure description is populated within security policies | Ansible | [PanosPolicyDescription.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml) | +| 3535 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 3536 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 3537 | CKV_PAN_9 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure a Log Forwarding Profile is selected for each security policy rule | Ansible | [PanosPolicyLogForwarding.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml) | +| 3538 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 3539 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 3540 | CKV_PAN_10 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure logging at session end is enabled within security policies | Ansible | [PanosPolicyLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml) | +| 3541 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 3542 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 3543 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 3544 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 3545 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 3546 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 3547 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3548 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3549 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3550 | CKV_PAN_14 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Ansible | [PanosZoneProtectionProfile.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml) | +| 3551 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 3552 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 3553 | CKV_PAN_15 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Ansible | [PanosZoneUserIDIncludeACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml) | +| 3554 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3555 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3556 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3557 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3558 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3559 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3560 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3561 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3562 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3563 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3564 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3565 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3566 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3567 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3568 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3569 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3570 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3571 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3572 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | +| 3573 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3574 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3575 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3576 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3577 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3578 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3579 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3580 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3581 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3582 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | +| 3583 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | +| 3584 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | +| 3585 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | +| 3586 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | +| 3587 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | +| 3588 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | +| 3589 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | +| 3590 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | +| 3591 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | +| 3592 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3593 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3594 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3595 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3596 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3597 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3598 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3599 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3600 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 3601 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 3602 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | +| 3603 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | +| 3604 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | +| 3605 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | +| 3606 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | +| 3607 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | +| 3608 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | +| 3609 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 3610 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 3611 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | +| 3612 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 3613 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 3614 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3615 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3616 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3617 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3618 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3619 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | --- diff --git a/docs/5.Policy Index/arm.md b/docs/5.Policy Index/arm.md index 8efd189aa3f..788a8d34ccb 100644 --- a/docs/5.Policy Index/arm.md +++ b/docs/5.Policy Index/arm.md @@ -71,28 +71,33 @@ nav_order: 1 | 60 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | arm | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | | 61 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | arm | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | | 62 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | arm | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | -| 63 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | arm | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | -| 64 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | -| 65 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | arm | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | -| 66 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | arm | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | -| 67 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | arm | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | -| 68 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | arm | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | -| 69 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | arm | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | -| 70 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | arm | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | -| 71 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | arm | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | -| 72 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | arm | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | -| 73 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | arm | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | -| 74 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | arm | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | -| 75 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | arm | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | -| 76 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | arm | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | -| 77 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py) | -| 78 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | -| 79 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | arm | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | -| 80 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | arm | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | -| 81 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 82 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 83 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 84 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | +| 63 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | arm | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | +| 64 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | arm | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | +| 65 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | +| 66 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | arm | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | +| 67 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | arm | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 68 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | arm | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | +| 69 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | arm | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | +| 70 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | arm | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | +| 71 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | arm | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | +| 72 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | arm | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | +| 73 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | arm | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | +| 74 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | arm | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | +| 75 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | arm | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | +| 76 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | arm | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | +| 77 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | arm | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | +| 78 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | arm | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | +| 79 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py) | +| 80 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | +| 81 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | arm | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | +| 82 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 83 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 84 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | arm | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | +| 85 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 86 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 87 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 88 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | +| 89 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | arm | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | --- diff --git a/docs/5.Policy Index/bicep.md b/docs/5.Policy Index/bicep.md index 4f063487692..c92a076a01e 100644 --- a/docs/5.Policy Index/bicep.md +++ b/docs/5.Policy Index/bicep.md @@ -73,27 +73,32 @@ nav_order: 1 | 62 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | | 63 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | | 64 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | -| 65 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | -| 66 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | -| 67 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | -| 68 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | -| 69 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | -| 70 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | -| 71 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | -| 72 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | -| 73 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | -| 74 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | -| 75 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | -| 76 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | -| 77 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | -| 78 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | -| 79 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py) | -| 80 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | -| 81 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | -| 82 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | -| 83 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 84 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 85 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 65 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | Bicep | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | +| 66 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | +| 67 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | +| 68 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | +| 69 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Bicep | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 70 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | +| 71 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | +| 72 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | +| 73 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | +| 74 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | +| 75 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | +| 76 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | +| 77 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | +| 78 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | +| 79 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | +| 80 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | +| 81 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py) | +| 82 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | +| 83 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | +| 84 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 85 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 86 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | +| 87 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 88 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 89 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 90 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | --- diff --git a/docs/5.Policy Index/cloudformation.md b/docs/5.Policy Index/cloudformation.md index b2941faec13..db89a2cd3fd 100644 --- a/docs/5.Policy Index/cloudformation.md +++ b/docs/5.Policy Index/cloudformation.md @@ -170,7 +170,12 @@ nav_order: 1 | 159 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | | 160 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | | 161 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 162 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | +| 162 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | +| 163 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 164 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 165 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 166 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | +| 167 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | --- diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 567d05e9b30..7116154f8b8 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -180,7 +180,12 @@ nav_order: 1 | 159 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | | 160 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | | 161 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 162 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | +| 162 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | +| 163 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 164 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 165 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 166 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | +| 167 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | --- diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index acac265e4ee..10a39f9444c 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -514,1531 +514,1551 @@ nav_order: 1 | 503 | CKV_AWS_356 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py) | | 504 | CKV_AWS_357 | resource | aws_transfer_server | Ensure Transfer Server allows only secure protocols | Terraform | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py) | | 505 | CKV_AWS_358 | data | aws_iam_policy_document | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization | Terraform | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py) | -| 506 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | -| 507 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | -| 508 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | -| 509 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | -| 510 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | -| 511 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | -| 512 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | -| 513 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | -| 514 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml) | -| 515 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | -| 516 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | -| 517 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | -| 518 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | -| 519 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml) | -| 520 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml) | -| 521 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml) | -| 522 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml) | -| 523 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | -| 524 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | -| 525 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | -| 526 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | -| 527 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 528 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 529 | CKV2_AWS_15 | resource | aws_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 530 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | -| 531 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | -| 532 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml) | -| 533 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | -| 534 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | -| 535 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 536 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 537 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 538 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 539 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml) | -| 540 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml) | -| 541 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml) | -| 542 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | -| 543 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | -| 544 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | -| 545 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | -| 546 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | -| 547 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | -| 548 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | -| 549 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | -| 550 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml) | -| 551 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a response headers policy attached | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml) | -| 552 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml) | -| 553 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml) | -| 554 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | -| 555 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | -| 556 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | -| 557 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | -| 558 | CKV2_AWS_37 | resource | aws | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 559 | CKV2_AWS_37 | resource | aws_accessanalyzer_analyzer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 560 | CKV2_AWS_37 | resource | aws_acm_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 561 | CKV2_AWS_37 | resource | aws_acm_certificate_validation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 562 | CKV2_AWS_37 | resource | aws_acmpca_certificate_authority | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 563 | CKV2_AWS_37 | resource | aws_ami | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 564 | CKV2_AWS_37 | resource | aws_ami_copy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 565 | CKV2_AWS_37 | resource | aws_ami_from_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 566 | CKV2_AWS_37 | resource | aws_ami_launch_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 567 | CKV2_AWS_37 | resource | aws_api_gateway_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 568 | CKV2_AWS_37 | resource | aws_api_gateway_api_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 569 | CKV2_AWS_37 | resource | aws_api_gateway_authorizer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 570 | CKV2_AWS_37 | resource | aws_api_gateway_base_path_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 571 | CKV2_AWS_37 | resource | aws_api_gateway_client_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 572 | CKV2_AWS_37 | resource | aws_api_gateway_deployment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 573 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_part | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 574 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 575 | CKV2_AWS_37 | resource | aws_api_gateway_domain_name | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 576 | CKV2_AWS_37 | resource | aws_api_gateway_gateway_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 577 | CKV2_AWS_37 | resource | aws_api_gateway_integration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 578 | CKV2_AWS_37 | resource | aws_api_gateway_integration_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 579 | CKV2_AWS_37 | resource | aws_api_gateway_method | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 580 | CKV2_AWS_37 | resource | aws_api_gateway_method_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 581 | CKV2_AWS_37 | resource | aws_api_gateway_method_settings | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 582 | CKV2_AWS_37 | resource | aws_api_gateway_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 583 | CKV2_AWS_37 | resource | aws_api_gateway_request_validator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 584 | CKV2_AWS_37 | resource | aws_api_gateway_resource | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 585 | CKV2_AWS_37 | resource | aws_api_gateway_rest_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 586 | CKV2_AWS_37 | resource | aws_api_gateway_stage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 587 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 588 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 589 | CKV2_AWS_37 | resource | aws_api_gateway_vpc_link | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 590 | CKV2_AWS_37 | resource | aws_apigatewayv2_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 591 | CKV2_AWS_37 | resource | aws_apigatewayv2_api_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 592 | CKV2_AWS_37 | resource | aws_apigatewayv2_authorizer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 593 | CKV2_AWS_37 | resource | aws_apigatewayv2_deployment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 594 | CKV2_AWS_37 | resource | aws_apigatewayv2_domain_name | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 595 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 596 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 597 | CKV2_AWS_37 | resource | aws_apigatewayv2_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 598 | CKV2_AWS_37 | resource | aws_apigatewayv2_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 599 | CKV2_AWS_37 | resource | aws_apigatewayv2_route_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 600 | CKV2_AWS_37 | resource | aws_apigatewayv2_stage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 601 | CKV2_AWS_37 | resource | aws_apigatewayv2_vpc_link | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 602 | CKV2_AWS_37 | resource | aws_app_cookie_stickiness_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 603 | CKV2_AWS_37 | resource | aws_appautoscaling_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 604 | CKV2_AWS_37 | resource | aws_appautoscaling_scheduled_action | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 605 | CKV2_AWS_37 | resource | aws_appautoscaling_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 606 | CKV2_AWS_37 | resource | aws_appmesh_mesh | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 607 | CKV2_AWS_37 | resource | aws_appmesh_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 608 | CKV2_AWS_37 | resource | aws_appmesh_virtual_node | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 609 | CKV2_AWS_37 | resource | aws_appmesh_virtual_router | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 610 | CKV2_AWS_37 | resource | aws_appmesh_virtual_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 611 | CKV2_AWS_37 | resource | aws_appsync_api_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 612 | CKV2_AWS_37 | resource | aws_appsync_datasource | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 613 | CKV2_AWS_37 | resource | aws_appsync_function | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 614 | CKV2_AWS_37 | resource | aws_appsync_graphql_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 615 | CKV2_AWS_37 | resource | aws_appsync_resolver | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 616 | CKV2_AWS_37 | resource | aws_athena_database | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 617 | CKV2_AWS_37 | resource | aws_athena_named_query | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 618 | CKV2_AWS_37 | resource | aws_athena_workgroup | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 619 | CKV2_AWS_37 | resource | aws_autoscaling_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 620 | CKV2_AWS_37 | resource | aws_autoscaling_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 621 | CKV2_AWS_37 | resource | aws_autoscaling_lifecycle_hook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 622 | CKV2_AWS_37 | resource | aws_autoscaling_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 623 | CKV2_AWS_37 | resource | aws_autoscaling_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 624 | CKV2_AWS_37 | resource | aws_autoscaling_schedule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 625 | CKV2_AWS_37 | resource | aws_backup_plan | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 626 | CKV2_AWS_37 | resource | aws_backup_selection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 627 | CKV2_AWS_37 | resource | aws_backup_vault | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 628 | CKV2_AWS_37 | resource | aws_batch_compute_environment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 629 | CKV2_AWS_37 | resource | aws_batch_job_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 630 | CKV2_AWS_37 | resource | aws_batch_job_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 631 | CKV2_AWS_37 | resource | aws_budgets_budget | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 632 | CKV2_AWS_37 | resource | aws_cloud9_environment_ec2 | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 633 | CKV2_AWS_37 | resource | aws_cloudformation_stack | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 634 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 635 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 636 | CKV2_AWS_37 | resource | aws_cloudfront_distribution | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 637 | CKV2_AWS_37 | resource | aws_cloudfront_origin_access_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 638 | CKV2_AWS_37 | resource | aws_cloudfront_public_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 639 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 640 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_hsm | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 641 | CKV2_AWS_37 | resource | aws_cloudtrail | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 642 | CKV2_AWS_37 | resource | aws_cloudwatch_dashboard | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 643 | CKV2_AWS_37 | resource | aws_cloudwatch_event_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 644 | CKV2_AWS_37 | resource | aws_cloudwatch_event_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 645 | CKV2_AWS_37 | resource | aws_cloudwatch_event_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 646 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 647 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 648 | CKV2_AWS_37 | resource | aws_cloudwatch_log_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 649 | CKV2_AWS_37 | resource | aws_cloudwatch_log_metric_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 650 | CKV2_AWS_37 | resource | aws_cloudwatch_log_resource_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 651 | CKV2_AWS_37 | resource | aws_cloudwatch_log_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 652 | CKV2_AWS_37 | resource | aws_cloudwatch_log_subscription_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 653 | CKV2_AWS_37 | resource | aws_cloudwatch_metric_alarm | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 654 | CKV2_AWS_37 | resource | aws_codebuild_project | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 655 | CKV2_AWS_37 | resource | aws_codebuild_source_credential | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 656 | CKV2_AWS_37 | resource | aws_codebuild_webhook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 657 | CKV2_AWS_37 | resource | aws_codecommit_repository | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 658 | CKV2_AWS_37 | resource | aws_codecommit_trigger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 659 | CKV2_AWS_37 | resource | aws_codedeploy_app | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 660 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 661 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 662 | CKV2_AWS_37 | resource | aws_codepipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 663 | CKV2_AWS_37 | resource | aws_codepipeline_webhook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 664 | CKV2_AWS_37 | resource | aws_codestarnotifications_notification_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 665 | CKV2_AWS_37 | resource | aws_cognito_identity_pool | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 666 | CKV2_AWS_37 | resource | aws_cognito_identity_pool_roles_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 667 | CKV2_AWS_37 | resource | aws_cognito_identity_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 668 | CKV2_AWS_37 | resource | aws_cognito_resource_server | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 669 | CKV2_AWS_37 | resource | aws_cognito_user_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 670 | CKV2_AWS_37 | resource | aws_cognito_user_pool | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 671 | CKV2_AWS_37 | resource | aws_cognito_user_pool_client | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 672 | CKV2_AWS_37 | resource | aws_cognito_user_pool_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 673 | CKV2_AWS_37 | resource | aws_config_aggregate_authorization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 674 | CKV2_AWS_37 | resource | aws_config_config_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 675 | CKV2_AWS_37 | resource | aws_config_configuration_aggregator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 676 | CKV2_AWS_37 | resource | aws_config_configuration_recorder | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 677 | CKV2_AWS_37 | resource | aws_config_configuration_recorder_status | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 678 | CKV2_AWS_37 | resource | aws_config_delivery_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 679 | CKV2_AWS_37 | resource | aws_config_organization_custom_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 680 | CKV2_AWS_37 | resource | aws_config_organization_managed_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 681 | CKV2_AWS_37 | resource | aws_cur_report_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 682 | CKV2_AWS_37 | resource | aws_customer_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 683 | CKV2_AWS_37 | resource | aws_datapipeline_pipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 684 | CKV2_AWS_37 | resource | aws_datasync_agent | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 685 | CKV2_AWS_37 | resource | aws_datasync_location_efs | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 686 | CKV2_AWS_37 | resource | aws_datasync_location_nfs | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 687 | CKV2_AWS_37 | resource | aws_datasync_location_s3 | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 688 | CKV2_AWS_37 | resource | aws_datasync_location_smb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 689 | CKV2_AWS_37 | resource | aws_datasync_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 690 | CKV2_AWS_37 | resource | aws_dax_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 691 | CKV2_AWS_37 | resource | aws_dax_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 692 | CKV2_AWS_37 | resource | aws_dax_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 693 | CKV2_AWS_37 | resource | aws_db_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 694 | CKV2_AWS_37 | resource | aws_db_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 695 | CKV2_AWS_37 | resource | aws_db_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 696 | CKV2_AWS_37 | resource | aws_db_instance_role_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 697 | CKV2_AWS_37 | resource | aws_db_option_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 698 | CKV2_AWS_37 | resource | aws_db_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 699 | CKV2_AWS_37 | resource | aws_db_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 700 | CKV2_AWS_37 | resource | aws_db_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 701 | CKV2_AWS_37 | resource | aws_db_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 702 | CKV2_AWS_37 | resource | aws_default_network_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 703 | CKV2_AWS_37 | resource | aws_default_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 704 | CKV2_AWS_37 | resource | aws_default_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 705 | CKV2_AWS_37 | resource | aws_default_subnet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 706 | CKV2_AWS_37 | resource | aws_default_vpc | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 707 | CKV2_AWS_37 | resource | aws_default_vpc_dhcp_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 708 | CKV2_AWS_37 | resource | aws_devicefarm_project | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 709 | CKV2_AWS_37 | resource | aws_directory_service_conditional_forwarder | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 710 | CKV2_AWS_37 | resource | aws_directory_service_directory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 711 | CKV2_AWS_37 | resource | aws_directory_service_log_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 712 | CKV2_AWS_37 | resource | aws_dlm_lifecycle_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 713 | CKV2_AWS_37 | resource | aws_dms_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 714 | CKV2_AWS_37 | resource | aws_dms_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 715 | CKV2_AWS_37 | resource | aws_dms_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 716 | CKV2_AWS_37 | resource | aws_dms_replication_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 717 | CKV2_AWS_37 | resource | aws_dms_replication_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 718 | CKV2_AWS_37 | resource | aws_dms_replication_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 719 | CKV2_AWS_37 | resource | aws_docdb_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 720 | CKV2_AWS_37 | resource | aws_docdb_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 721 | CKV2_AWS_37 | resource | aws_docdb_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 722 | CKV2_AWS_37 | resource | aws_docdb_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 723 | CKV2_AWS_37 | resource | aws_docdb_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 724 | CKV2_AWS_37 | resource | aws_dx_bgp_peer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 725 | CKV2_AWS_37 | resource | aws_dx_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 726 | CKV2_AWS_37 | resource | aws_dx_connection_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 727 | CKV2_AWS_37 | resource | aws_dx_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 728 | CKV2_AWS_37 | resource | aws_dx_gateway_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 729 | CKV2_AWS_37 | resource | aws_dx_gateway_association_proposal | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 730 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 731 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 732 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 733 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 734 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 735 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 736 | CKV2_AWS_37 | resource | aws_dx_lag | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 737 | CKV2_AWS_37 | resource | aws_dx_private_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 738 | CKV2_AWS_37 | resource | aws_dx_public_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 739 | CKV2_AWS_37 | resource | aws_dx_transit_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 740 | CKV2_AWS_37 | resource | aws_dynamodb_global_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 741 | CKV2_AWS_37 | resource | aws_dynamodb_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 742 | CKV2_AWS_37 | resource | aws_dynamodb_table_item | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 743 | CKV2_AWS_37 | resource | aws_ebs_default_kms_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 744 | CKV2_AWS_37 | resource | aws_ebs_encryption_by_default | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 745 | CKV2_AWS_37 | resource | aws_ebs_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 746 | CKV2_AWS_37 | resource | aws_ebs_snapshot_copy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 747 | CKV2_AWS_37 | resource | aws_ebs_volume | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 748 | CKV2_AWS_37 | resource | aws_ec2_availability_zone_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 749 | CKV2_AWS_37 | resource | aws_ec2_capacity_reservation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 750 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_authorization_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 751 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 752 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_network_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 753 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 754 | CKV2_AWS_37 | resource | aws_ec2_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 755 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 756 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route_table_vpc_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 757 | CKV2_AWS_37 | resource | aws_ec2_tag | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 758 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 759 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 760 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_session | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 761 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 762 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 763 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 764 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 765 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 766 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 767 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 768 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_propagation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 769 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 770 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 771 | CKV2_AWS_37 | resource | aws_ecr_lifecycle_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 772 | CKV2_AWS_37 | resource | aws_ecr_repository | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 773 | CKV2_AWS_37 | resource | aws_ecr_repository_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 774 | CKV2_AWS_37 | resource | aws_ecs_capacity_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 775 | CKV2_AWS_37 | resource | aws_ecs_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 776 | CKV2_AWS_37 | resource | aws_ecs_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 777 | CKV2_AWS_37 | resource | aws_ecs_task_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 778 | CKV2_AWS_37 | resource | aws_efs_access_point | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 779 | CKV2_AWS_37 | resource | aws_efs_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 780 | CKV2_AWS_37 | resource | aws_efs_file_system_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 781 | CKV2_AWS_37 | resource | aws_efs_mount_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 782 | CKV2_AWS_37 | resource | aws_egress_only_internet_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 783 | CKV2_AWS_37 | resource | aws_eip | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 784 | CKV2_AWS_37 | resource | aws_eip_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 785 | CKV2_AWS_37 | resource | aws_eks_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 786 | CKV2_AWS_37 | resource | aws_eks_fargate_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 787 | CKV2_AWS_37 | resource | aws_eks_node_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 788 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 789 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 790 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_configuration_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 791 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_environment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 792 | CKV2_AWS_37 | resource | aws_elasticache_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 793 | CKV2_AWS_37 | resource | aws_elasticache_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 794 | CKV2_AWS_37 | resource | aws_elasticache_replication_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 795 | CKV2_AWS_37 | resource | aws_elasticache_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 796 | CKV2_AWS_37 | resource | aws_elasticache_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 797 | CKV2_AWS_37 | resource | aws_elasticsearch_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 798 | CKV2_AWS_37 | resource | aws_elasticsearch_domain_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 799 | CKV2_AWS_37 | resource | aws_elastictranscoder_pipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 800 | CKV2_AWS_37 | resource | aws_elastictranscoder_preset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 801 | CKV2_AWS_37 | resource | aws_elb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 802 | CKV2_AWS_37 | resource | aws_elb_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 803 | CKV2_AWS_37 | resource | aws_emr_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 804 | CKV2_AWS_37 | resource | aws_emr_instance_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 805 | CKV2_AWS_37 | resource | aws_emr_security_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 806 | CKV2_AWS_37 | resource | aws_flow_log | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 807 | CKV2_AWS_37 | resource | aws_fms_admin_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 808 | CKV2_AWS_37 | resource | aws_fsx_lustre_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 809 | CKV2_AWS_37 | resource | aws_fsx_windows_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 810 | CKV2_AWS_37 | resource | aws_gamelift_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 811 | CKV2_AWS_37 | resource | aws_gamelift_build | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 812 | CKV2_AWS_37 | resource | aws_gamelift_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 813 | CKV2_AWS_37 | resource | aws_gamelift_game_session_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 814 | CKV2_AWS_37 | resource | aws_glacier_vault | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 815 | CKV2_AWS_37 | resource | aws_glacier_vault_lock | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 816 | CKV2_AWS_37 | resource | aws_globalaccelerator_accelerator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 817 | CKV2_AWS_37 | resource | aws_globalaccelerator_endpoint_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 818 | CKV2_AWS_37 | resource | aws_globalaccelerator_listener | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 819 | CKV2_AWS_37 | resource | aws_glue_catalog_database | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 820 | CKV2_AWS_37 | resource | aws_glue_catalog_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 821 | CKV2_AWS_37 | resource | aws_glue_classifier | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 822 | CKV2_AWS_37 | resource | aws_glue_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 823 | CKV2_AWS_37 | resource | aws_glue_crawler | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 824 | CKV2_AWS_37 | resource | aws_glue_job | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 825 | CKV2_AWS_37 | resource | aws_glue_security_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 826 | CKV2_AWS_37 | resource | aws_glue_trigger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 827 | CKV2_AWS_37 | resource | aws_glue_workflow | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 828 | CKV2_AWS_37 | resource | aws_guardduty_detector | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 829 | CKV2_AWS_37 | resource | aws_guardduty_invite_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 830 | CKV2_AWS_37 | resource | aws_guardduty_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 831 | CKV2_AWS_37 | resource | aws_guardduty_member | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 832 | CKV2_AWS_37 | resource | aws_guardduty_organization_admin_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 833 | CKV2_AWS_37 | resource | aws_guardduty_organization_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 834 | CKV2_AWS_37 | resource | aws_guardduty_threatintelset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 835 | CKV2_AWS_37 | resource | aws_iam_access_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 836 | CKV2_AWS_37 | resource | aws_iam_account_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 837 | CKV2_AWS_37 | resource | aws_iam_account_password_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 838 | CKV2_AWS_37 | resource | aws_iam_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 839 | CKV2_AWS_37 | resource | aws_iam_group_membership | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 840 | CKV2_AWS_37 | resource | aws_iam_group_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 841 | CKV2_AWS_37 | resource | aws_iam_group_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 842 | CKV2_AWS_37 | resource | aws_iam_instance_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 843 | CKV2_AWS_37 | resource | aws_iam_openid_connect_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 844 | CKV2_AWS_37 | resource | aws_iam_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 845 | CKV2_AWS_37 | resource | aws_iam_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 846 | CKV2_AWS_37 | resource | aws_iam_policy_document | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 847 | CKV2_AWS_37 | resource | aws_iam_role | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 848 | CKV2_AWS_37 | resource | aws_iam_role_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 849 | CKV2_AWS_37 | resource | aws_iam_role_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 850 | CKV2_AWS_37 | resource | aws_iam_saml_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 851 | CKV2_AWS_37 | resource | aws_iam_server_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 852 | CKV2_AWS_37 | resource | aws_iam_service_linked_role | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 853 | CKV2_AWS_37 | resource | aws_iam_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 854 | CKV2_AWS_37 | resource | aws_iam_user_group_membership | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 855 | CKV2_AWS_37 | resource | aws_iam_user_login_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 856 | CKV2_AWS_37 | resource | aws_iam_user_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 857 | CKV2_AWS_37 | resource | aws_iam_user_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 858 | CKV2_AWS_37 | resource | aws_iam_user_ssh_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 859 | CKV2_AWS_37 | resource | aws_inspector_assessment_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 860 | CKV2_AWS_37 | resource | aws_inspector_assessment_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 861 | CKV2_AWS_37 | resource | aws_inspector_resource_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 862 | CKV2_AWS_37 | resource | aws_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 863 | CKV2_AWS_37 | resource | aws_internet_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 864 | CKV2_AWS_37 | resource | aws_iot_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 865 | CKV2_AWS_37 | resource | aws_iot_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 866 | CKV2_AWS_37 | resource | aws_iot_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 867 | CKV2_AWS_37 | resource | aws_iot_role_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 868 | CKV2_AWS_37 | resource | aws_iot_thing | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 869 | CKV2_AWS_37 | resource | aws_iot_thing_principal_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 870 | CKV2_AWS_37 | resource | aws_iot_thing_type | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 871 | CKV2_AWS_37 | resource | aws_iot_topic_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 872 | CKV2_AWS_37 | resource | aws_key_pair | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 873 | CKV2_AWS_37 | resource | aws_kinesis_analytics_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 874 | CKV2_AWS_37 | resource | aws_kinesis_firehose_delivery_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 875 | CKV2_AWS_37 | resource | aws_kinesis_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 876 | CKV2_AWS_37 | resource | aws_kinesis_video_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 877 | CKV2_AWS_37 | resource | aws_kms_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 878 | CKV2_AWS_37 | resource | aws_kms_ciphertext | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 879 | CKV2_AWS_37 | resource | aws_kms_external_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 880 | CKV2_AWS_37 | resource | aws_kms_grant | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 881 | CKV2_AWS_37 | resource | aws_kms_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 882 | CKV2_AWS_37 | resource | aws_lambda_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 883 | CKV2_AWS_37 | resource | aws_lambda_event_source_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 884 | CKV2_AWS_37 | resource | aws_lambda_function | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 885 | CKV2_AWS_37 | resource | aws_lambda_function_event_invoke_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 886 | CKV2_AWS_37 | resource | aws_lambda_layer_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 887 | CKV2_AWS_37 | resource | aws_lambda_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 888 | CKV2_AWS_37 | resource | aws_lambda_provisioned_concurrency_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 889 | CKV2_AWS_37 | resource | aws_launch_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 890 | CKV2_AWS_37 | resource | aws_launch_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 891 | CKV2_AWS_37 | resource | aws_lb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 892 | CKV2_AWS_37 | resource | aws_lb_cookie_stickiness_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 893 | CKV2_AWS_37 | resource | aws_lb_listener | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 894 | CKV2_AWS_37 | resource | aws_lb_listener_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 895 | CKV2_AWS_37 | resource | aws_lb_listener_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 896 | CKV2_AWS_37 | resource | aws_lb_ssl_negotiation_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 897 | CKV2_AWS_37 | resource | aws_lb_target_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 898 | CKV2_AWS_37 | resource | aws_lb_target_group_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 899 | CKV2_AWS_37 | resource | aws_licensemanager_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 900 | CKV2_AWS_37 | resource | aws_licensemanager_license_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 901 | CKV2_AWS_37 | resource | aws_lightsail_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 902 | CKV2_AWS_37 | resource | aws_lightsail_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 903 | CKV2_AWS_37 | resource | aws_lightsail_key_pair | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 904 | CKV2_AWS_37 | resource | aws_lightsail_static_ip | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 905 | CKV2_AWS_37 | resource | aws_lightsail_static_ip_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 906 | CKV2_AWS_37 | resource | aws_load_balancer_backend_server_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 907 | CKV2_AWS_37 | resource | aws_load_balancer_listener_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 908 | CKV2_AWS_37 | resource | aws_load_balancer_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 909 | CKV2_AWS_37 | resource | aws_macie_member_account_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 910 | CKV2_AWS_37 | resource | aws_macie_s3_bucket_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 911 | CKV2_AWS_37 | resource | aws_main_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 912 | CKV2_AWS_37 | resource | aws_media_convert_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 913 | CKV2_AWS_37 | resource | aws_media_package_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 914 | CKV2_AWS_37 | resource | aws_media_store_container | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 915 | CKV2_AWS_37 | resource | aws_media_store_container_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 916 | CKV2_AWS_37 | resource | aws_mq_broker | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 917 | CKV2_AWS_37 | resource | aws_mq_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 918 | CKV2_AWS_37 | resource | aws_msk_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 919 | CKV2_AWS_37 | resource | aws_msk_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 920 | CKV2_AWS_37 | resource | aws_nat_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 921 | CKV2_AWS_37 | resource | aws_neptune_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 922 | CKV2_AWS_37 | resource | aws_neptune_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 923 | CKV2_AWS_37 | resource | aws_neptune_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 924 | CKV2_AWS_37 | resource | aws_neptune_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 925 | CKV2_AWS_37 | resource | aws_neptune_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 926 | CKV2_AWS_37 | resource | aws_neptune_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 927 | CKV2_AWS_37 | resource | aws_neptune_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 928 | CKV2_AWS_37 | resource | aws_network_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 929 | CKV2_AWS_37 | resource | aws_network_acl_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 930 | CKV2_AWS_37 | resource | aws_network_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 931 | CKV2_AWS_37 | resource | aws_network_interface_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 932 | CKV2_AWS_37 | resource | aws_network_interface_sg_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 933 | CKV2_AWS_37 | resource | aws_opsworks_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 934 | CKV2_AWS_37 | resource | aws_opsworks_custom_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 935 | CKV2_AWS_37 | resource | aws_opsworks_ganglia_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 936 | CKV2_AWS_37 | resource | aws_opsworks_haproxy_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 937 | CKV2_AWS_37 | resource | aws_opsworks_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 938 | CKV2_AWS_37 | resource | aws_opsworks_java_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 939 | CKV2_AWS_37 | resource | aws_opsworks_memcached_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 940 | CKV2_AWS_37 | resource | aws_opsworks_mysql_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 941 | CKV2_AWS_37 | resource | aws_opsworks_nodejs_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 942 | CKV2_AWS_37 | resource | aws_opsworks_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 943 | CKV2_AWS_37 | resource | aws_opsworks_php_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 944 | CKV2_AWS_37 | resource | aws_opsworks_rails_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 945 | CKV2_AWS_37 | resource | aws_opsworks_rds_db_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 946 | CKV2_AWS_37 | resource | aws_opsworks_stack | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 947 | CKV2_AWS_37 | resource | aws_opsworks_static_web_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 948 | CKV2_AWS_37 | resource | aws_opsworks_user_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 949 | CKV2_AWS_37 | resource | aws_organizations_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 950 | CKV2_AWS_37 | resource | aws_organizations_organization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 951 | CKV2_AWS_37 | resource | aws_organizations_organizational_unit | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 952 | CKV2_AWS_37 | resource | aws_organizations_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 953 | CKV2_AWS_37 | resource | aws_organizations_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 954 | CKV2_AWS_37 | resource | aws_pinpoint_adm_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 955 | CKV2_AWS_37 | resource | aws_pinpoint_apns_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 956 | CKV2_AWS_37 | resource | aws_pinpoint_apns_sandbox_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 957 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 958 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_sandbox_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 959 | CKV2_AWS_37 | resource | aws_pinpoint_app | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 960 | CKV2_AWS_37 | resource | aws_pinpoint_baidu_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 961 | CKV2_AWS_37 | resource | aws_pinpoint_email_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 962 | CKV2_AWS_37 | resource | aws_pinpoint_event_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 963 | CKV2_AWS_37 | resource | aws_pinpoint_gcm_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 964 | CKV2_AWS_37 | resource | aws_pinpoint_sms_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 965 | CKV2_AWS_37 | resource | aws_placement_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 966 | CKV2_AWS_37 | resource | aws_proxy_protocol_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 967 | CKV2_AWS_37 | resource | aws_qldb_ledger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 968 | CKV2_AWS_37 | resource | aws_quicksight_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 969 | CKV2_AWS_37 | resource | aws_quicksight_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 970 | CKV2_AWS_37 | resource | aws_ram_principal_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 971 | CKV2_AWS_37 | resource | aws_ram_resource_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 972 | CKV2_AWS_37 | resource | aws_ram_resource_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 973 | CKV2_AWS_37 | resource | aws_ram_resource_share_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 974 | CKV2_AWS_37 | resource | aws_rds_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 975 | CKV2_AWS_37 | resource | aws_rds_cluster_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 976 | CKV2_AWS_37 | resource | aws_rds_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 977 | CKV2_AWS_37 | resource | aws_rds_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 978 | CKV2_AWS_37 | resource | aws_rds_global_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 979 | CKV2_AWS_37 | resource | aws_redshift_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 980 | CKV2_AWS_37 | resource | aws_redshift_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 981 | CKV2_AWS_37 | resource | aws_redshift_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 982 | CKV2_AWS_37 | resource | aws_redshift_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 983 | CKV2_AWS_37 | resource | aws_redshift_snapshot_copy_grant | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 984 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 985 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 986 | CKV2_AWS_37 | resource | aws_redshift_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 987 | CKV2_AWS_37 | resource | aws_resourcegroups_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 988 | CKV2_AWS_37 | resource | aws_root | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 989 | CKV2_AWS_37 | resource | aws_root_access_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 990 | CKV2_AWS_37 | resource | aws_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 991 | CKV2_AWS_37 | resource | aws_route53_delegation_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 992 | CKV2_AWS_37 | resource | aws_route53_health_check | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 993 | CKV2_AWS_37 | resource | aws_route53_query_log | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 994 | CKV2_AWS_37 | resource | aws_route53_record | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 995 | CKV2_AWS_37 | resource | aws_route53_resolver_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 996 | CKV2_AWS_37 | resource | aws_route53_resolver_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 997 | CKV2_AWS_37 | resource | aws_route53_resolver_rule_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 998 | CKV2_AWS_37 | resource | aws_route53_vpc_association_authorization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 999 | CKV2_AWS_37 | resource | aws_route53_zone | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1000 | CKV2_AWS_37 | resource | aws_route53_zone_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1001 | CKV2_AWS_37 | resource | aws_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1002 | CKV2_AWS_37 | resource | aws_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1003 | CKV2_AWS_37 | resource | aws_s3_access_point | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1004 | CKV2_AWS_37 | resource | aws_s3_account_public_access_block | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1005 | CKV2_AWS_37 | resource | aws_s3_bucket | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1006 | CKV2_AWS_37 | resource | aws_s3_bucket_analytics_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1007 | CKV2_AWS_37 | resource | aws_s3_bucket_inventory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1008 | CKV2_AWS_37 | resource | aws_s3_bucket_metric | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1009 | CKV2_AWS_37 | resource | aws_s3_bucket_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1010 | CKV2_AWS_37 | resource | aws_s3_bucket_object | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1011 | CKV2_AWS_37 | resource | aws_s3_bucket_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1012 | CKV2_AWS_37 | resource | aws_s3_bucket_public_access_block | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1013 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1014 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1015 | CKV2_AWS_37 | resource | aws_sagemaker_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1016 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1017 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1018 | CKV2_AWS_37 | resource | aws_secretsmanager_secret | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1019 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_rotation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1020 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1021 | CKV2_AWS_37 | resource | aws_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1022 | CKV2_AWS_37 | resource | aws_security_group_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1023 | CKV2_AWS_37 | resource | aws_securityhub_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1024 | CKV2_AWS_37 | resource | aws_securityhub_member | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1025 | CKV2_AWS_37 | resource | aws_securityhub_product_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1026 | CKV2_AWS_37 | resource | aws_securityhub_standards_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1027 | CKV2_AWS_37 | resource | aws_service_discovery_http_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1028 | CKV2_AWS_37 | resource | aws_service_discovery_private_dns_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1029 | CKV2_AWS_37 | resource | aws_service_discovery_public_dns_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1030 | CKV2_AWS_37 | resource | aws_service_discovery_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1031 | CKV2_AWS_37 | resource | aws_servicecatalog_portfolio | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1032 | CKV2_AWS_37 | resource | aws_servicequotas_service_quota | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1033 | CKV2_AWS_37 | resource | aws_ses_active_receipt_rule_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1034 | CKV2_AWS_37 | resource | aws_ses_configuration_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1035 | CKV2_AWS_37 | resource | aws_ses_domain_dkim | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1036 | CKV2_AWS_37 | resource | aws_ses_domain_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1037 | CKV2_AWS_37 | resource | aws_ses_domain_identity_verification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1038 | CKV2_AWS_37 | resource | aws_ses_domain_mail_from | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1039 | CKV2_AWS_37 | resource | aws_ses_email_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1040 | CKV2_AWS_37 | resource | aws_ses_event_destination | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1041 | CKV2_AWS_37 | resource | aws_ses_identity_notification_topic | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1042 | CKV2_AWS_37 | resource | aws_ses_identity_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1043 | CKV2_AWS_37 | resource | aws_ses_receipt_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1044 | CKV2_AWS_37 | resource | aws_ses_receipt_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1045 | CKV2_AWS_37 | resource | aws_ses_receipt_rule_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1046 | CKV2_AWS_37 | resource | aws_ses_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1047 | CKV2_AWS_37 | resource | aws_sfn_activity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1048 | CKV2_AWS_37 | resource | aws_sfn_state_machine | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1049 | CKV2_AWS_37 | resource | aws_shield_protection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1050 | CKV2_AWS_37 | resource | aws_simpledb_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1051 | CKV2_AWS_37 | resource | aws_snapshot_create_volume_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1052 | CKV2_AWS_37 | resource | aws_sns_platform_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1053 | CKV2_AWS_37 | resource | aws_sns_sms_preferences | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1054 | CKV2_AWS_37 | resource | aws_sns_topic | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1055 | CKV2_AWS_37 | resource | aws_sns_topic_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1056 | CKV2_AWS_37 | resource | aws_sns_topic_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1057 | CKV2_AWS_37 | resource | aws_spot_datafeed_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1058 | CKV2_AWS_37 | resource | aws_spot_fleet_request | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1059 | CKV2_AWS_37 | resource | aws_spot_instance_request | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1060 | CKV2_AWS_37 | resource | aws_sqs_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1061 | CKV2_AWS_37 | resource | aws_sqs_queue_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1062 | CKV2_AWS_37 | resource | aws_ssm_activation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1063 | CKV2_AWS_37 | resource | aws_ssm_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1064 | CKV2_AWS_37 | resource | aws_ssm_document | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1065 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1066 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1067 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1068 | CKV2_AWS_37 | resource | aws_ssm_parameter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1069 | CKV2_AWS_37 | resource | aws_ssm_patch_baseline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1070 | CKV2_AWS_37 | resource | aws_ssm_patch_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1071 | CKV2_AWS_37 | resource | aws_ssm_resource_data_sync | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1072 | CKV2_AWS_37 | resource | aws_storagegateway_cache | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1073 | CKV2_AWS_37 | resource | aws_storagegateway_cached_iscsi_volume | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1074 | CKV2_AWS_37 | resource | aws_storagegateway_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1075 | CKV2_AWS_37 | resource | aws_storagegateway_nfs_file_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1076 | CKV2_AWS_37 | resource | aws_storagegateway_smb_file_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1077 | CKV2_AWS_37 | resource | aws_storagegateway_upload_buffer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1078 | CKV2_AWS_37 | resource | aws_storagegateway_working_storage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1079 | CKV2_AWS_37 | resource | aws_subnet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1080 | CKV2_AWS_37 | resource | aws_swf_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1081 | CKV2_AWS_37 | resource | aws_transfer_server | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1082 | CKV2_AWS_37 | resource | aws_transfer_ssh_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1083 | CKV2_AWS_37 | resource | aws_transfer_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1084 | CKV2_AWS_37 | resource | aws_volume_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1085 | CKV2_AWS_37 | resource | aws_vpc | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1086 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1087 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1088 | CKV2_AWS_37 | resource | aws_vpc_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1089 | CKV2_AWS_37 | resource | aws_vpc_endpoint_connection_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1090 | CKV2_AWS_37 | resource | aws_vpc_endpoint_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1091 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1092 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service_allowed_principal | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1093 | CKV2_AWS_37 | resource | aws_vpc_endpoint_subnet_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1094 | CKV2_AWS_37 | resource | aws_vpc_ipv4_cidr_block_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1095 | CKV2_AWS_37 | resource | aws_vpc_peering_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1096 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1097 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1098 | CKV2_AWS_37 | resource | aws_vpn_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1099 | CKV2_AWS_37 | resource | aws_vpn_connection_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1100 | CKV2_AWS_37 | resource | aws_vpn_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1101 | CKV2_AWS_37 | resource | aws_vpn_gateway_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1102 | CKV2_AWS_37 | resource | aws_vpn_gateway_route_propagation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1103 | CKV2_AWS_37 | resource | aws_waf_byte_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1104 | CKV2_AWS_37 | resource | aws_waf_geo_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1105 | CKV2_AWS_37 | resource | aws_waf_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1106 | CKV2_AWS_37 | resource | aws_waf_rate_based_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1107 | CKV2_AWS_37 | resource | aws_waf_regex_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1108 | CKV2_AWS_37 | resource | aws_waf_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1109 | CKV2_AWS_37 | resource | aws_waf_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1110 | CKV2_AWS_37 | resource | aws_waf_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1111 | CKV2_AWS_37 | resource | aws_waf_size_constraint_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1112 | CKV2_AWS_37 | resource | aws_waf_sql_injection_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1113 | CKV2_AWS_37 | resource | aws_waf_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1114 | CKV2_AWS_37 | resource | aws_waf_xss_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1115 | CKV2_AWS_37 | resource | aws_wafregional_byte_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1116 | CKV2_AWS_37 | resource | aws_wafregional_geo_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1117 | CKV2_AWS_37 | resource | aws_wafregional_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1118 | CKV2_AWS_37 | resource | aws_wafregional_rate_based_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1119 | CKV2_AWS_37 | resource | aws_wafregional_regex_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1120 | CKV2_AWS_37 | resource | aws_wafregional_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1121 | CKV2_AWS_37 | resource | aws_wafregional_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1122 | CKV2_AWS_37 | resource | aws_wafregional_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1123 | CKV2_AWS_37 | resource | aws_wafregional_size_constraint_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1124 | CKV2_AWS_37 | resource | aws_wafregional_sql_injection_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1125 | CKV2_AWS_37 | resource | aws_wafregional_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1126 | CKV2_AWS_37 | resource | aws_wafregional_web_acl_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1127 | CKV2_AWS_37 | resource | aws_wafregional_xss_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1128 | CKV2_AWS_37 | resource | aws_wafv2_ip_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1129 | CKV2_AWS_37 | resource | aws_wafv2_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1130 | CKV2_AWS_37 | resource | aws_wafv2_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1131 | CKV2_AWS_37 | resource | aws_wafv2_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1132 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1133 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_logging_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1134 | CKV2_AWS_37 | resource | aws_worklink_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1135 | CKV2_AWS_37 | resource | aws_worklink_website_certificate_authority_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1136 | CKV2_AWS_37 | resource | aws_workspaces_directory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1137 | CKV2_AWS_37 | resource | aws_workspaces_ip_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1138 | CKV2_AWS_37 | resource | aws_workspaces_workspace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1139 | CKV2_AWS_37 | resource | aws_xray_sampling_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1140 | CKV2_AWS_38 | resource | aws_route53_zone | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml) | -| 1141 | CKV2_AWS_39 | resource | aws_route53_zone | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml) | -| 1142 | CKV2_AWS_40 | resource | aws_iam_group_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1143 | CKV2_AWS_40 | resource | aws_iam_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1144 | CKV2_AWS_40 | resource | aws_iam_role_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1145 | CKV2_AWS_40 | resource | aws_iam_user_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1146 | CKV2_AWS_40 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1147 | CKV2_AWS_40 | resource | data.aws_iam_policy_document | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1148 | CKV2_AWS_41 | resource | aws_instance | Ensure an IAM role is attached to EC2 instance | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml) | -| 1149 | CKV2_AWS_42 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution uses custom SSL certificate | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml) | -| 1150 | CKV2_AWS_43 | resource | aws_s3_bucket_acl | Ensure S3 Bucket does not allow access to all Authenticated users | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml) | -| 1151 | CKV2_AWS_44 | resource | aws_route | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | -| 1152 | CKV2_AWS_44 | resource | aws_route_table | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | -| 1153 | CKV2_AWS_45 | resource | aws_config_configuration_recorder | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | -| 1154 | CKV2_AWS_45 | resource | aws_config_configuration_recorder_status | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | -| 1155 | CKV2_AWS_46 | resource | aws_cloudfront_distribution | Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml) | -| 1156 | CKV2_AWS_47 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | -| 1157 | CKV2_AWS_47 | resource | aws_wafv2_web_acl | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | -| 1158 | CKV2_AWS_48 | resource | aws_config_configuration_recorder | Ensure AWS Config must record all possible resources | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml) | -| 1159 | CKV2_AWS_49 | resource | aws_dms_endpoint | Ensure AWS Database Migration Service endpoints have SSL configured | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) | -| 1160 | CKV2_AWS_50 | resource | aws_elasticache_replication_group | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml) | -| 1161 | CKV2_AWS_51 | resource | aws_api_gateway_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1162 | CKV2_AWS_51 | resource | aws_apigatewayv2_api | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1163 | CKV2_AWS_51 | resource | aws_apigatewayv2_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1164 | CKV2_AWS_52 | resource | aws_elasticsearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | -| 1165 | CKV2_AWS_52 | resource | aws_opensearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | -| 1166 | CKV2_AWS_53 | resource | aws_api_gateway_method | Ensure AWS API gateway request is validated | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml) | -| 1167 | CKV2_AWS_54 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml) | -| 1168 | CKV2_AWS_55 | resource | aws_emr_cluster | Ensure AWS EMR cluster is configured with security configuration | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml) | -| 1169 | CKV2_AWS_56 | resource | aws_iam_group_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1170 | CKV2_AWS_56 | resource | aws_iam_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1171 | CKV2_AWS_56 | resource | aws_iam_role | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1172 | CKV2_AWS_56 | resource | aws_iam_role_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1173 | CKV2_AWS_56 | resource | aws_iam_user_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1174 | CKV2_AWS_56 | resource | aws_ssoadmin_managed_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1175 | CKV2_AWS_56 | resource | data.aws_iam_policy | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1176 | CKV2_AWS_57 | resource | aws_secretsmanager_secret | Ensure Secrets Manager secrets should have automatic rotation enabled | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml) | -| 1177 | CKV2_AWS_58 | resource | aws_neptune_cluster | Ensure AWS Neptune cluster deletion protection is enabled | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml) | -| 1178 | CKV2_AWS_59 | resource | aws_elasticsearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | -| 1179 | CKV2_AWS_59 | resource | aws_opensearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | -| 1180 | CKV2_AWS_60 | resource | aws_db_instance | Ensure RDS instance with copy tags to snapshots is enabled | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml) | -| 1181 | CKV2_AWS_61 | resource | aws_s3_bucket | Ensure that an S3 bucket has a lifecycle configuration | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml) | -| 1182 | CKV2_AWS_62 | resource | aws_s3_bucket | Ensure S3 buckets should have event notifications enabled | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml) | -| 1183 | CKV2_AWS_63 | resource | aws_networkfirewall_firewall | Ensure Network firewall has logging configuration defined | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml) | -| 1184 | CKV2_AWS_64 | resource | aws_kms_key | Ensure KMS key Policy is defined | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml) | -| 1185 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | -| 1186 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | -| 1187 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py) | -| 1188 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'enable_https_traffic_only' is enabled | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py) | -| 1189 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py) | -| 1190 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py) | -| 1191 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py) | -| 1192 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py) | -| 1193 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py) | -| 1194 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | -| 1195 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | -| 1196 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | -| 1197 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | -| 1198 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1199 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1200 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1201 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1202 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py) | -| 1203 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1204 | CKV_AZURE_13 | resource | azurerm_linux_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1205 | CKV_AZURE_13 | resource | azurerm_windows_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1206 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1207 | CKV_AZURE_14 | resource | azurerm_linux_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1208 | CKV_AZURE_14 | resource | azurerm_windows_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1209 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1210 | CKV_AZURE_15 | resource | azurerm_linux_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1211 | CKV_AZURE_15 | resource | azurerm_windows_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1212 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1213 | CKV_AZURE_16 | resource | azurerm_linux_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1214 | CKV_AZURE_16 | resource | azurerm_windows_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1215 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1216 | CKV_AZURE_17 | resource | azurerm_linux_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1217 | CKV_AZURE_17 | resource | azurerm_windows_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1218 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1219 | CKV_AZURE_18 | resource | azurerm_linux_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1220 | CKV_AZURE_18 | resource | azurerm_windows_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1221 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py) | -| 1222 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py) | -| 1223 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py) | -| 1224 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py) | -| 1225 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1226 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1227 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1228 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1229 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1230 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1231 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py) | -| 1232 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py) | -| 1233 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py) | -| 1234 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py) | -| 1235 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py) | -| 1236 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1237 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py) | -| 1238 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1239 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py) | -| 1240 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py) | -| 1241 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1242 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1243 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1244 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1245 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py) | -| 1246 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py) | -| 1247 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py) | -| 1248 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py) | -| 1249 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py) | -| 1250 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py) | -| 1251 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py) | -| 1252 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py) | -| 1253 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py) | -| 1254 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py) | -| 1255 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py) | -| 1256 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py) | -| 1257 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | -| 1258 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | -| 1259 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py) | -| 1260 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py) | -| 1261 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py) | -| 1262 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py) | -| 1263 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py) | -| 1264 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1265 | CKV_AZURE_57 | resource | azurerm_linux_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1266 | CKV_AZURE_57 | resource | azurerm_windows_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1267 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 1268 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py) | -| 1269 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py) | -| 1270 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py) | -| 1271 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1272 | CKV_AZURE_63 | resource | azurerm_linux_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1273 | CKV_AZURE_63 | resource | azurerm_windows_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1274 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py) | -| 1275 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1276 | CKV_AZURE_65 | resource | azurerm_linux_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1277 | CKV_AZURE_65 | resource | azurerm_windows_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1278 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1279 | CKV_AZURE_66 | resource | azurerm_linux_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1280 | CKV_AZURE_66 | resource | azurerm_windows_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1281 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | -| 1282 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | -| 1283 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py) | -| 1284 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py) | -| 1285 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1286 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1287 | CKV_AZURE_71 | resource | azurerm_linux_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1288 | CKV_AZURE_71 | resource | azurerm_windows_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1289 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1290 | CKV_AZURE_72 | resource | azurerm_linux_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1291 | CKV_AZURE_72 | resource | azurerm_windows_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1292 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1293 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1294 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1295 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1296 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py) | -| 1297 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py) | -| 1298 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py) | -| 1299 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | -| 1300 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | -| 1301 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1302 | CKV_AZURE_78 | resource | azurerm_linux_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1303 | CKV_AZURE_78 | resource | azurerm_windows_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1304 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py) | -| 1305 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | -| 1306 | CKV_AZURE_80 | resource | azurerm_windows_web_app | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | -| 1307 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py) | -| 1308 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py) | -| 1309 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py) | -| 1310 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py) | -| 1311 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py) | -| 1312 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py) | -| 1313 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py) | -| 1314 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1315 | CKV_AZURE_88 | resource | azurerm_linux_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1316 | CKV_AZURE_88 | resource | azurerm_windows_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1317 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py) | -| 1318 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py) | -| 1319 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | -| 1320 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | -| 1321 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py) | -| 1322 | CKV_AZURE_94 | resource | azurerm_mysql_flexible_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | -| 1323 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | -| 1324 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py) | -| 1325 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | [MySQLEncryptionEnaled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnaled.py) | -| 1326 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | -| 1327 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | -| 1328 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py) | -| 1329 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py) | -| 1330 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py) | -| 1331 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py) | -| 1332 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py) | -| 1333 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py) | -| 1334 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py) | -| 1335 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py) | -| 1336 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py) | -| 1337 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py) | -| 1338 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py) | -| 1339 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py) | -| 1340 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py) | -| 1341 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py) | -| 1342 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py) | -| 1343 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py) | -| 1344 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py) | -| 1345 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py) | -| 1346 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py) | -| 1347 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py) | -| 1348 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py) | -| 1349 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml) | -| 1350 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | -| 1351 | CKV_AZURE_120 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | -| 1352 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py) | -| 1353 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py) | -| 1354 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py) | -| 1355 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py) | -| 1356 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py) | -| 1357 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py) | -| 1358 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py) | -| 1359 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py) | -| 1360 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py) | -| 1361 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py) | -| 1362 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py) | -| 1363 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py) | -| 1364 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py) | -| 1365 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py) | -| 1366 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py) | -| 1367 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py) | -| 1368 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py) | -| 1369 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py) | -| 1370 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py) | -| 1371 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py) | -| 1372 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py) | -| 1373 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py) | -| 1374 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py) | -| 1375 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py) | -| 1376 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1377 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py) | -| 1378 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py) | -| 1379 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py) | -| 1380 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | -| 1381 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | -| 1382 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py) | -| 1383 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | -| 1384 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | -| 1385 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1386 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | -| 1387 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | -| 1388 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | -| 1389 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | -| 1390 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | -| 1391 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1392 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1393 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1394 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1395 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | -| 1396 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | -| 1397 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | -| 1398 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | -| 1399 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | -| 1400 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | -| 1401 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | -| 1402 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1403 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1404 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | -| 1405 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | -| 1406 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | -| 1407 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | -| 1408 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | -| 1409 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | -| 1410 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | -| 1411 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | -| 1412 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1413 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1414 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1415 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1416 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1417 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1418 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1419 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1420 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | -| 1421 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | -| 1422 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1423 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1424 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | -| 1425 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | -| 1426 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | -| 1427 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | -| 1428 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | -| 1429 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | -| 1430 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | -| 1431 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | -| 1432 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | -| 1433 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | -| 1434 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | -| 1435 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | -| 1436 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | -| 1437 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | -| 1438 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | -| 1439 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | -| 1440 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | -| 1441 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | -| 1442 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | -| 1443 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | -| 1444 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | -| 1445 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | -| 1446 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | -| 1447 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | -| 1448 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | -| 1449 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | -| 1450 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | -| 1451 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | -| 1452 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | -| 1453 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | -| 1454 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1455 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1456 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1457 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1458 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1459 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | -| 1460 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | -| 1461 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | -| 1462 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | -| 1463 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | -| 1464 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | -| 1465 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | -| 1466 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1467 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1468 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1469 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1470 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1471 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1472 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1473 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1474 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1475 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1476 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1477 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1478 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1479 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1480 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 1481 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 1482 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | -| 1483 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1484 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1485 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1486 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | -| 1487 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 1488 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 1489 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | -| 1490 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | -| 1491 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 1492 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 1493 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 1494 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 1495 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | -| 1496 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 1497 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 1498 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 1499 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 1500 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | -| 1501 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1502 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1503 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1504 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1505 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1506 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1507 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 1508 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 1509 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | -| 1510 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | -| 1511 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | -| 1512 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | -| 1513 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | -| 1514 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | -| 1515 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | -| 1516 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | -| 1517 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | -| 1518 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | -| 1519 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | -| 1520 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | -| 1521 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | -| 1522 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | -| 1523 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | -| 1524 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | -| 1525 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | -| 1526 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | -| 1527 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | -| 1528 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | -| 1529 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | -| 1530 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | -| 1531 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | -| 1532 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | -| 1533 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | -| 1534 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | -| 1535 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | -| 1536 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | -| 1537 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | -| 1538 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | -| 1539 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | -| 1540 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | -| 1541 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | -| 1542 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | -| 1543 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | -| 1544 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | -| 1545 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | -| 1546 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | -| 1547 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py) | -| 1548 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | -| 1549 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | -| 1550 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | -| 1551 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | -| 1552 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | -| 1553 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | -| 1554 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | -| 1555 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | -| 1556 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 1557 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 1558 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | -| 1559 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1560 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1561 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1562 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1563 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1564 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1565 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1566 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1567 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1568 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | -| 1569 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1570 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1571 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1572 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1573 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1574 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1575 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1576 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1577 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1578 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | -| 1579 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | -| 1580 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1581 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1582 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1583 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1584 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1585 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1586 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 1587 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 1588 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | -| 1589 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | -| 1590 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 1591 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 1592 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 1593 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 1594 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 1595 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 1596 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 1597 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 1598 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 1599 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 1600 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 1601 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 1602 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | -| 1603 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | -| 1604 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | -| 1605 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | -| 1606 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | -| 1607 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | -| 1608 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | -| 1609 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | -| 1610 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | -| 1611 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | -| 1612 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | -| 1613 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | -| 1614 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | -| 1615 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | -| 1616 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | -| 1617 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | -| 1618 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | -| 1619 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 1620 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 1621 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 1622 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 1623 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | -| 1624 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | -| 1625 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 1626 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 1627 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | -| 1628 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | -| 1629 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | -| 1630 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | -| 1631 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | -| 1632 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | -| 1633 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | -| 1634 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | -| 1635 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | -| 1636 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | -| 1637 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | -| 1638 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | -| 1639 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | -| 1640 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | -| 1641 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | -| 1642 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | -| 1643 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | -| 1644 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | -| 1645 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | -| 1646 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | -| 1647 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | -| 1648 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | -| 1649 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | -| 1650 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | -| 1651 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | -| 1652 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 1653 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 1654 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 1655 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 1656 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 1657 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 1658 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 1659 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 1660 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 1661 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 1662 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | -| 1663 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | -| 1664 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | -| 1665 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | -| 1666 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1667 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1668 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1669 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1670 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | -| 1671 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | -| 1672 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | -| 1673 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | -| 1674 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1675 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1676 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1677 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | -| 1678 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | -| 1679 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 1680 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 1681 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 1682 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 1683 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 1684 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 1685 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | -| 1686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | -| 1687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | -| 1688 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | -| 1689 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1690 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1691 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1692 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1693 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 1694 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 1695 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1696 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1697 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1698 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 1699 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 1700 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1701 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1702 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1703 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1704 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1705 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1706 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | -| 1707 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | -| 1708 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | -| 1709 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | -| 1710 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | -| 1711 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | -| 1712 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | -| 1713 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | -| 1714 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | -| 1715 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | -| 1716 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | -| 1717 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | -| 1718 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | -| 1719 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | -| 1720 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1721 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1722 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1723 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 1724 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 1725 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 1726 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 1727 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | -| 1728 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | -| 1729 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | -| 1730 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | -| 1731 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | -| 1732 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | -| 1733 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | -| 1734 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | -| 1735 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | -| 1736 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | -| 1737 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | -| 1738 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | -| 1739 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1740 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1741 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1742 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1743 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1744 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1745 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1746 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1747 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1748 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1749 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1750 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1751 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1752 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1753 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1754 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1755 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1756 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1757 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1758 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1759 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1760 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1761 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1762 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1763 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1764 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1765 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1766 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1767 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1768 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1769 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1770 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1771 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1772 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1773 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1774 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1775 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1776 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1777 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1778 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1779 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1780 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1781 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1782 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1783 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1784 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1785 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1786 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1787 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1788 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1789 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1790 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1791 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1792 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1793 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1794 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1795 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1796 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1797 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1798 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1799 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1800 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1801 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1802 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1803 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1804 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1805 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1806 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1807 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1808 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1809 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1810 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1811 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1812 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1813 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1814 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1815 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1816 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1817 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1818 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1819 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1820 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1821 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | -| 1822 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1823 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1824 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1825 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1826 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1827 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1828 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1829 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1830 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1831 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1832 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1833 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1834 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1835 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1836 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1837 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1838 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1839 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1840 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1841 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1842 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1843 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1844 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1845 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1846 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1847 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1848 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1849 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1850 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | -| 1851 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1852 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1853 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1854 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1855 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1856 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1857 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1858 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1859 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | -| 1860 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1861 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1862 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1863 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1864 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1865 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1866 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1867 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1868 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 1869 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 1870 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1871 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1872 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1873 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1874 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1875 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1876 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1877 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1878 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 1879 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 1880 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1881 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1882 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1883 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1884 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | -| 1885 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | -| 1886 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | -| 1887 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | -| 1888 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | -| 1889 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | -| 1890 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | -| 1891 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 1892 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 1893 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | -| 1894 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | -| 1895 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | -| 1896 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | -| 1897 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | -| 1898 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | -| 1899 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | -| 1900 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | -| 1901 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | -| 1902 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | -| 1903 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | -| 1904 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | -| 1905 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | -| 1906 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | -| 1907 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 1908 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 1909 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | -| 1910 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | -| 1911 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | -| 1912 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 1913 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 1914 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | -| 1915 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | -| 1916 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | -| 1917 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | -| 1918 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | -| 1919 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | -| 1920 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | -| 1921 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | -| 1922 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | -| 1923 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | -| 1924 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | -| 1925 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | -| 1926 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | -| 1927 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | -| 1928 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | -| 1929 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | -| 1930 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | -| 1931 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | -| 1932 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | -| 1933 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | -| 1934 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | -| 1935 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | -| 1936 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | -| 1937 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | -| 1938 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | -| 1939 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | -| 1940 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 1941 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 1942 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 1943 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | -| 1944 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | -| 1945 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | -| 1946 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | -| 1947 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | -| 1948 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | -| 1949 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 1950 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 1951 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 1952 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 1953 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | -| 1954 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | -| 1955 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | -| 1956 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | -| 1957 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | -| 1958 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 1959 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 1960 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 1961 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 1962 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 1963 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 1964 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 1965 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 1966 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 1967 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 1968 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 1969 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 1970 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 1971 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 1972 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 1973 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 1974 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 1975 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 1976 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 1977 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 1978 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 1979 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 1980 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 1981 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 1982 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 1983 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | -| 1984 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1985 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1986 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1987 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1988 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1989 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1990 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1991 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1992 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 1993 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | -| 1994 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | -| 1995 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | -| 1996 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | -| 1997 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | -| 1998 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | -| 1999 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | -| 2000 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | -| 2001 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | -| 2002 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | -| 2003 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2004 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2005 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2006 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2007 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2008 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2009 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2010 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2011 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 2012 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 2013 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | -| 2014 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | -| 2015 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | -| 2016 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | -| 2017 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | -| 2018 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | -| 2019 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | -| 2020 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 2021 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 2022 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | -| 2023 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 2024 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 2025 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2026 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2027 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2028 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2029 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2030 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 506 | CKV_AWS_359 | resource | aws_neptune_cluster | Neptune DB clusters should have IAM database authentication enabled | Terraform | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py) | +| 507 | CKV_AWS_360 | resource | aws_docdb_cluster | Ensure DocDB has an adequate backup retention period | Terraform | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py) | +| 508 | CKV_AWS_361 | resource | aws_neptune_cluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Terraform | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 509 | CKV_AWS_362 | resource | aws_neptune_cluster | Neptune DB clusters should be configured to copy tags to snapshots | Terraform | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py) | +| 510 | CKV_AWS_363 | resource | aws_lambda_function | Ensure Lambda Runtime is not deprecated | Terraform | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 511 | CKV_AWS_364 | resource | aws_lambda_permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Terraform | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py) | +| 512 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | +| 513 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | +| 514 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | +| 515 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | +| 516 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | +| 517 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | +| 518 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | +| 519 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | +| 520 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml) | +| 521 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | +| 522 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | +| 523 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | +| 524 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | +| 525 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml) | +| 526 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml) | +| 527 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml) | +| 528 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml) | +| 529 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | +| 530 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | +| 531 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | +| 532 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | +| 533 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 534 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 535 | CKV2_AWS_15 | resource | aws_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 536 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | +| 537 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | +| 538 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml) | +| 539 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | +| 540 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | +| 541 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 542 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 543 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 544 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 545 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml) | +| 546 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml) | +| 547 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml) | +| 548 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | +| 549 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | +| 550 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | +| 551 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | +| 552 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | +| 553 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | +| 554 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | +| 555 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | +| 556 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml) | +| 557 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a response headers policy attached | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml) | +| 558 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml) | +| 559 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml) | +| 560 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | +| 561 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | +| 562 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | +| 563 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | +| 564 | CKV2_AWS_37 | resource | aws | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 565 | CKV2_AWS_37 | resource | aws_accessanalyzer_analyzer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 566 | CKV2_AWS_37 | resource | aws_acm_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 567 | CKV2_AWS_37 | resource | aws_acm_certificate_validation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 568 | CKV2_AWS_37 | resource | aws_acmpca_certificate_authority | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 569 | CKV2_AWS_37 | resource | aws_ami | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 570 | CKV2_AWS_37 | resource | aws_ami_copy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 571 | CKV2_AWS_37 | resource | aws_ami_from_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 572 | CKV2_AWS_37 | resource | aws_ami_launch_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 573 | CKV2_AWS_37 | resource | aws_api_gateway_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 574 | CKV2_AWS_37 | resource | aws_api_gateway_api_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 575 | CKV2_AWS_37 | resource | aws_api_gateway_authorizer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 576 | CKV2_AWS_37 | resource | aws_api_gateway_base_path_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 577 | CKV2_AWS_37 | resource | aws_api_gateway_client_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 578 | CKV2_AWS_37 | resource | aws_api_gateway_deployment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 579 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_part | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 580 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 581 | CKV2_AWS_37 | resource | aws_api_gateway_domain_name | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 582 | CKV2_AWS_37 | resource | aws_api_gateway_gateway_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 583 | CKV2_AWS_37 | resource | aws_api_gateway_integration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 584 | CKV2_AWS_37 | resource | aws_api_gateway_integration_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 585 | CKV2_AWS_37 | resource | aws_api_gateway_method | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 586 | CKV2_AWS_37 | resource | aws_api_gateway_method_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 587 | CKV2_AWS_37 | resource | aws_api_gateway_method_settings | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 588 | CKV2_AWS_37 | resource | aws_api_gateway_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 589 | CKV2_AWS_37 | resource | aws_api_gateway_request_validator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 590 | CKV2_AWS_37 | resource | aws_api_gateway_resource | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 591 | CKV2_AWS_37 | resource | aws_api_gateway_rest_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 592 | CKV2_AWS_37 | resource | aws_api_gateway_stage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 593 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 594 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 595 | CKV2_AWS_37 | resource | aws_api_gateway_vpc_link | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 596 | CKV2_AWS_37 | resource | aws_apigatewayv2_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 597 | CKV2_AWS_37 | resource | aws_apigatewayv2_api_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 598 | CKV2_AWS_37 | resource | aws_apigatewayv2_authorizer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 599 | CKV2_AWS_37 | resource | aws_apigatewayv2_deployment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 600 | CKV2_AWS_37 | resource | aws_apigatewayv2_domain_name | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 601 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 602 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 603 | CKV2_AWS_37 | resource | aws_apigatewayv2_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 604 | CKV2_AWS_37 | resource | aws_apigatewayv2_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 605 | CKV2_AWS_37 | resource | aws_apigatewayv2_route_response | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 606 | CKV2_AWS_37 | resource | aws_apigatewayv2_stage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 607 | CKV2_AWS_37 | resource | aws_apigatewayv2_vpc_link | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 608 | CKV2_AWS_37 | resource | aws_app_cookie_stickiness_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 609 | CKV2_AWS_37 | resource | aws_appautoscaling_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 610 | CKV2_AWS_37 | resource | aws_appautoscaling_scheduled_action | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 611 | CKV2_AWS_37 | resource | aws_appautoscaling_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 612 | CKV2_AWS_37 | resource | aws_appmesh_mesh | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 613 | CKV2_AWS_37 | resource | aws_appmesh_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 614 | CKV2_AWS_37 | resource | aws_appmesh_virtual_node | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 615 | CKV2_AWS_37 | resource | aws_appmesh_virtual_router | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 616 | CKV2_AWS_37 | resource | aws_appmesh_virtual_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 617 | CKV2_AWS_37 | resource | aws_appsync_api_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 618 | CKV2_AWS_37 | resource | aws_appsync_datasource | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 619 | CKV2_AWS_37 | resource | aws_appsync_function | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 620 | CKV2_AWS_37 | resource | aws_appsync_graphql_api | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 621 | CKV2_AWS_37 | resource | aws_appsync_resolver | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 622 | CKV2_AWS_37 | resource | aws_athena_database | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 623 | CKV2_AWS_37 | resource | aws_athena_named_query | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 624 | CKV2_AWS_37 | resource | aws_athena_workgroup | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 625 | CKV2_AWS_37 | resource | aws_autoscaling_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 626 | CKV2_AWS_37 | resource | aws_autoscaling_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 627 | CKV2_AWS_37 | resource | aws_autoscaling_lifecycle_hook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 628 | CKV2_AWS_37 | resource | aws_autoscaling_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 629 | CKV2_AWS_37 | resource | aws_autoscaling_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 630 | CKV2_AWS_37 | resource | aws_autoscaling_schedule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 631 | CKV2_AWS_37 | resource | aws_backup_plan | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 632 | CKV2_AWS_37 | resource | aws_backup_selection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 633 | CKV2_AWS_37 | resource | aws_backup_vault | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 634 | CKV2_AWS_37 | resource | aws_batch_compute_environment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 635 | CKV2_AWS_37 | resource | aws_batch_job_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 636 | CKV2_AWS_37 | resource | aws_batch_job_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 637 | CKV2_AWS_37 | resource | aws_budgets_budget | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 638 | CKV2_AWS_37 | resource | aws_cloud9_environment_ec2 | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 639 | CKV2_AWS_37 | resource | aws_cloudformation_stack | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 640 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 641 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 642 | CKV2_AWS_37 | resource | aws_cloudfront_distribution | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 643 | CKV2_AWS_37 | resource | aws_cloudfront_origin_access_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 644 | CKV2_AWS_37 | resource | aws_cloudfront_public_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 645 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 646 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_hsm | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 647 | CKV2_AWS_37 | resource | aws_cloudtrail | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 648 | CKV2_AWS_37 | resource | aws_cloudwatch_dashboard | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 649 | CKV2_AWS_37 | resource | aws_cloudwatch_event_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 650 | CKV2_AWS_37 | resource | aws_cloudwatch_event_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 651 | CKV2_AWS_37 | resource | aws_cloudwatch_event_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 652 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 653 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 654 | CKV2_AWS_37 | resource | aws_cloudwatch_log_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 655 | CKV2_AWS_37 | resource | aws_cloudwatch_log_metric_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 656 | CKV2_AWS_37 | resource | aws_cloudwatch_log_resource_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 657 | CKV2_AWS_37 | resource | aws_cloudwatch_log_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 658 | CKV2_AWS_37 | resource | aws_cloudwatch_log_subscription_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 659 | CKV2_AWS_37 | resource | aws_cloudwatch_metric_alarm | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 660 | CKV2_AWS_37 | resource | aws_codebuild_project | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 661 | CKV2_AWS_37 | resource | aws_codebuild_source_credential | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 662 | CKV2_AWS_37 | resource | aws_codebuild_webhook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 663 | CKV2_AWS_37 | resource | aws_codecommit_repository | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 664 | CKV2_AWS_37 | resource | aws_codecommit_trigger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 665 | CKV2_AWS_37 | resource | aws_codedeploy_app | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 666 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 667 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 668 | CKV2_AWS_37 | resource | aws_codepipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 669 | CKV2_AWS_37 | resource | aws_codepipeline_webhook | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 670 | CKV2_AWS_37 | resource | aws_codestarnotifications_notification_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 671 | CKV2_AWS_37 | resource | aws_cognito_identity_pool | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 672 | CKV2_AWS_37 | resource | aws_cognito_identity_pool_roles_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 673 | CKV2_AWS_37 | resource | aws_cognito_identity_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 674 | CKV2_AWS_37 | resource | aws_cognito_resource_server | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 675 | CKV2_AWS_37 | resource | aws_cognito_user_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 676 | CKV2_AWS_37 | resource | aws_cognito_user_pool | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 677 | CKV2_AWS_37 | resource | aws_cognito_user_pool_client | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 678 | CKV2_AWS_37 | resource | aws_cognito_user_pool_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 679 | CKV2_AWS_37 | resource | aws_config_aggregate_authorization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 680 | CKV2_AWS_37 | resource | aws_config_config_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 681 | CKV2_AWS_37 | resource | aws_config_configuration_aggregator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 682 | CKV2_AWS_37 | resource | aws_config_configuration_recorder | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 683 | CKV2_AWS_37 | resource | aws_config_configuration_recorder_status | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 684 | CKV2_AWS_37 | resource | aws_config_delivery_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 685 | CKV2_AWS_37 | resource | aws_config_organization_custom_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 686 | CKV2_AWS_37 | resource | aws_config_organization_managed_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 687 | CKV2_AWS_37 | resource | aws_cur_report_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 688 | CKV2_AWS_37 | resource | aws_customer_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 689 | CKV2_AWS_37 | resource | aws_datapipeline_pipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 690 | CKV2_AWS_37 | resource | aws_datasync_agent | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 691 | CKV2_AWS_37 | resource | aws_datasync_location_efs | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 692 | CKV2_AWS_37 | resource | aws_datasync_location_nfs | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 693 | CKV2_AWS_37 | resource | aws_datasync_location_s3 | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 694 | CKV2_AWS_37 | resource | aws_datasync_location_smb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 695 | CKV2_AWS_37 | resource | aws_datasync_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 696 | CKV2_AWS_37 | resource | aws_dax_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 697 | CKV2_AWS_37 | resource | aws_dax_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 698 | CKV2_AWS_37 | resource | aws_dax_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 699 | CKV2_AWS_37 | resource | aws_db_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 700 | CKV2_AWS_37 | resource | aws_db_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 701 | CKV2_AWS_37 | resource | aws_db_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 702 | CKV2_AWS_37 | resource | aws_db_instance_role_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 703 | CKV2_AWS_37 | resource | aws_db_option_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 704 | CKV2_AWS_37 | resource | aws_db_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 705 | CKV2_AWS_37 | resource | aws_db_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 706 | CKV2_AWS_37 | resource | aws_db_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 707 | CKV2_AWS_37 | resource | aws_db_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 708 | CKV2_AWS_37 | resource | aws_default_network_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 709 | CKV2_AWS_37 | resource | aws_default_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 710 | CKV2_AWS_37 | resource | aws_default_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 711 | CKV2_AWS_37 | resource | aws_default_subnet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 712 | CKV2_AWS_37 | resource | aws_default_vpc | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 713 | CKV2_AWS_37 | resource | aws_default_vpc_dhcp_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 714 | CKV2_AWS_37 | resource | aws_devicefarm_project | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 715 | CKV2_AWS_37 | resource | aws_directory_service_conditional_forwarder | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 716 | CKV2_AWS_37 | resource | aws_directory_service_directory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 717 | CKV2_AWS_37 | resource | aws_directory_service_log_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 718 | CKV2_AWS_37 | resource | aws_dlm_lifecycle_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 719 | CKV2_AWS_37 | resource | aws_dms_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 720 | CKV2_AWS_37 | resource | aws_dms_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 721 | CKV2_AWS_37 | resource | aws_dms_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 722 | CKV2_AWS_37 | resource | aws_dms_replication_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 723 | CKV2_AWS_37 | resource | aws_dms_replication_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 724 | CKV2_AWS_37 | resource | aws_dms_replication_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 725 | CKV2_AWS_37 | resource | aws_docdb_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 726 | CKV2_AWS_37 | resource | aws_docdb_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 727 | CKV2_AWS_37 | resource | aws_docdb_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 728 | CKV2_AWS_37 | resource | aws_docdb_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 729 | CKV2_AWS_37 | resource | aws_docdb_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 730 | CKV2_AWS_37 | resource | aws_dx_bgp_peer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 731 | CKV2_AWS_37 | resource | aws_dx_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 732 | CKV2_AWS_37 | resource | aws_dx_connection_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 733 | CKV2_AWS_37 | resource | aws_dx_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 734 | CKV2_AWS_37 | resource | aws_dx_gateway_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 735 | CKV2_AWS_37 | resource | aws_dx_gateway_association_proposal | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 736 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 737 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 738 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 739 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 740 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 741 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 742 | CKV2_AWS_37 | resource | aws_dx_lag | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 743 | CKV2_AWS_37 | resource | aws_dx_private_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 744 | CKV2_AWS_37 | resource | aws_dx_public_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 745 | CKV2_AWS_37 | resource | aws_dx_transit_virtual_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 746 | CKV2_AWS_37 | resource | aws_dynamodb_global_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 747 | CKV2_AWS_37 | resource | aws_dynamodb_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 748 | CKV2_AWS_37 | resource | aws_dynamodb_table_item | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 749 | CKV2_AWS_37 | resource | aws_ebs_default_kms_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 750 | CKV2_AWS_37 | resource | aws_ebs_encryption_by_default | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 751 | CKV2_AWS_37 | resource | aws_ebs_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 752 | CKV2_AWS_37 | resource | aws_ebs_snapshot_copy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 753 | CKV2_AWS_37 | resource | aws_ebs_volume | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 754 | CKV2_AWS_37 | resource | aws_ec2_availability_zone_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 755 | CKV2_AWS_37 | resource | aws_ec2_capacity_reservation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 756 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_authorization_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 757 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 758 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_network_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 759 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 760 | CKV2_AWS_37 | resource | aws_ec2_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 761 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 762 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route_table_vpc_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 763 | CKV2_AWS_37 | resource | aws_ec2_tag | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 764 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 765 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 766 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_session | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 767 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 768 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 769 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 770 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 771 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 772 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 773 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 774 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_propagation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 775 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 776 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 777 | CKV2_AWS_37 | resource | aws_ecr_lifecycle_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 778 | CKV2_AWS_37 | resource | aws_ecr_repository | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 779 | CKV2_AWS_37 | resource | aws_ecr_repository_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 780 | CKV2_AWS_37 | resource | aws_ecs_capacity_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 781 | CKV2_AWS_37 | resource | aws_ecs_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 782 | CKV2_AWS_37 | resource | aws_ecs_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 783 | CKV2_AWS_37 | resource | aws_ecs_task_definition | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 784 | CKV2_AWS_37 | resource | aws_efs_access_point | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 785 | CKV2_AWS_37 | resource | aws_efs_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 786 | CKV2_AWS_37 | resource | aws_efs_file_system_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 787 | CKV2_AWS_37 | resource | aws_efs_mount_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 788 | CKV2_AWS_37 | resource | aws_egress_only_internet_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 789 | CKV2_AWS_37 | resource | aws_eip | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 790 | CKV2_AWS_37 | resource | aws_eip_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 791 | CKV2_AWS_37 | resource | aws_eks_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 792 | CKV2_AWS_37 | resource | aws_eks_fargate_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 793 | CKV2_AWS_37 | resource | aws_eks_node_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 794 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 795 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 796 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_configuration_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 797 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_environment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 798 | CKV2_AWS_37 | resource | aws_elasticache_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 799 | CKV2_AWS_37 | resource | aws_elasticache_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 800 | CKV2_AWS_37 | resource | aws_elasticache_replication_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 801 | CKV2_AWS_37 | resource | aws_elasticache_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 802 | CKV2_AWS_37 | resource | aws_elasticache_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 803 | CKV2_AWS_37 | resource | aws_elasticsearch_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 804 | CKV2_AWS_37 | resource | aws_elasticsearch_domain_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 805 | CKV2_AWS_37 | resource | aws_elastictranscoder_pipeline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 806 | CKV2_AWS_37 | resource | aws_elastictranscoder_preset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 807 | CKV2_AWS_37 | resource | aws_elb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 808 | CKV2_AWS_37 | resource | aws_elb_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 809 | CKV2_AWS_37 | resource | aws_emr_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 810 | CKV2_AWS_37 | resource | aws_emr_instance_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 811 | CKV2_AWS_37 | resource | aws_emr_security_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 812 | CKV2_AWS_37 | resource | aws_flow_log | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 813 | CKV2_AWS_37 | resource | aws_fms_admin_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 814 | CKV2_AWS_37 | resource | aws_fsx_lustre_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 815 | CKV2_AWS_37 | resource | aws_fsx_windows_file_system | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 816 | CKV2_AWS_37 | resource | aws_gamelift_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 817 | CKV2_AWS_37 | resource | aws_gamelift_build | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 818 | CKV2_AWS_37 | resource | aws_gamelift_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 819 | CKV2_AWS_37 | resource | aws_gamelift_game_session_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 820 | CKV2_AWS_37 | resource | aws_glacier_vault | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 821 | CKV2_AWS_37 | resource | aws_glacier_vault_lock | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 822 | CKV2_AWS_37 | resource | aws_globalaccelerator_accelerator | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 823 | CKV2_AWS_37 | resource | aws_globalaccelerator_endpoint_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 824 | CKV2_AWS_37 | resource | aws_globalaccelerator_listener | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 825 | CKV2_AWS_37 | resource | aws_glue_catalog_database | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 826 | CKV2_AWS_37 | resource | aws_glue_catalog_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 827 | CKV2_AWS_37 | resource | aws_glue_classifier | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 828 | CKV2_AWS_37 | resource | aws_glue_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 829 | CKV2_AWS_37 | resource | aws_glue_crawler | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 830 | CKV2_AWS_37 | resource | aws_glue_job | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 831 | CKV2_AWS_37 | resource | aws_glue_security_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 832 | CKV2_AWS_37 | resource | aws_glue_trigger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 833 | CKV2_AWS_37 | resource | aws_glue_workflow | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 834 | CKV2_AWS_37 | resource | aws_guardduty_detector | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 835 | CKV2_AWS_37 | resource | aws_guardduty_invite_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 836 | CKV2_AWS_37 | resource | aws_guardduty_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 837 | CKV2_AWS_37 | resource | aws_guardduty_member | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 838 | CKV2_AWS_37 | resource | aws_guardduty_organization_admin_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 839 | CKV2_AWS_37 | resource | aws_guardduty_organization_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 840 | CKV2_AWS_37 | resource | aws_guardduty_threatintelset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 841 | CKV2_AWS_37 | resource | aws_iam_access_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 842 | CKV2_AWS_37 | resource | aws_iam_account_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 843 | CKV2_AWS_37 | resource | aws_iam_account_password_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 844 | CKV2_AWS_37 | resource | aws_iam_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 845 | CKV2_AWS_37 | resource | aws_iam_group_membership | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 846 | CKV2_AWS_37 | resource | aws_iam_group_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 847 | CKV2_AWS_37 | resource | aws_iam_group_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 848 | CKV2_AWS_37 | resource | aws_iam_instance_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 849 | CKV2_AWS_37 | resource | aws_iam_openid_connect_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 850 | CKV2_AWS_37 | resource | aws_iam_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 851 | CKV2_AWS_37 | resource | aws_iam_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 852 | CKV2_AWS_37 | resource | aws_iam_policy_document | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 853 | CKV2_AWS_37 | resource | aws_iam_role | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 854 | CKV2_AWS_37 | resource | aws_iam_role_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 855 | CKV2_AWS_37 | resource | aws_iam_role_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 856 | CKV2_AWS_37 | resource | aws_iam_saml_provider | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 857 | CKV2_AWS_37 | resource | aws_iam_server_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 858 | CKV2_AWS_37 | resource | aws_iam_service_linked_role | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 859 | CKV2_AWS_37 | resource | aws_iam_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 860 | CKV2_AWS_37 | resource | aws_iam_user_group_membership | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 861 | CKV2_AWS_37 | resource | aws_iam_user_login_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 862 | CKV2_AWS_37 | resource | aws_iam_user_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 863 | CKV2_AWS_37 | resource | aws_iam_user_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 864 | CKV2_AWS_37 | resource | aws_iam_user_ssh_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 865 | CKV2_AWS_37 | resource | aws_inspector_assessment_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 866 | CKV2_AWS_37 | resource | aws_inspector_assessment_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 867 | CKV2_AWS_37 | resource | aws_inspector_resource_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 868 | CKV2_AWS_37 | resource | aws_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 869 | CKV2_AWS_37 | resource | aws_internet_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 870 | CKV2_AWS_37 | resource | aws_iot_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 871 | CKV2_AWS_37 | resource | aws_iot_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 872 | CKV2_AWS_37 | resource | aws_iot_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 873 | CKV2_AWS_37 | resource | aws_iot_role_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 874 | CKV2_AWS_37 | resource | aws_iot_thing | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 875 | CKV2_AWS_37 | resource | aws_iot_thing_principal_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 876 | CKV2_AWS_37 | resource | aws_iot_thing_type | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 877 | CKV2_AWS_37 | resource | aws_iot_topic_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 878 | CKV2_AWS_37 | resource | aws_key_pair | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 879 | CKV2_AWS_37 | resource | aws_kinesis_analytics_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 880 | CKV2_AWS_37 | resource | aws_kinesis_firehose_delivery_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 881 | CKV2_AWS_37 | resource | aws_kinesis_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 882 | CKV2_AWS_37 | resource | aws_kinesis_video_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 883 | CKV2_AWS_37 | resource | aws_kms_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 884 | CKV2_AWS_37 | resource | aws_kms_ciphertext | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 885 | CKV2_AWS_37 | resource | aws_kms_external_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 886 | CKV2_AWS_37 | resource | aws_kms_grant | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 887 | CKV2_AWS_37 | resource | aws_kms_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 888 | CKV2_AWS_37 | resource | aws_lambda_alias | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 889 | CKV2_AWS_37 | resource | aws_lambda_event_source_mapping | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 890 | CKV2_AWS_37 | resource | aws_lambda_function | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 891 | CKV2_AWS_37 | resource | aws_lambda_function_event_invoke_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 892 | CKV2_AWS_37 | resource | aws_lambda_layer_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 893 | CKV2_AWS_37 | resource | aws_lambda_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 894 | CKV2_AWS_37 | resource | aws_lambda_provisioned_concurrency_config | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 895 | CKV2_AWS_37 | resource | aws_launch_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 896 | CKV2_AWS_37 | resource | aws_launch_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 897 | CKV2_AWS_37 | resource | aws_lb | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 898 | CKV2_AWS_37 | resource | aws_lb_cookie_stickiness_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 899 | CKV2_AWS_37 | resource | aws_lb_listener | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 900 | CKV2_AWS_37 | resource | aws_lb_listener_certificate | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 901 | CKV2_AWS_37 | resource | aws_lb_listener_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 902 | CKV2_AWS_37 | resource | aws_lb_ssl_negotiation_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 903 | CKV2_AWS_37 | resource | aws_lb_target_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 904 | CKV2_AWS_37 | resource | aws_lb_target_group_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 905 | CKV2_AWS_37 | resource | aws_licensemanager_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 906 | CKV2_AWS_37 | resource | aws_licensemanager_license_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 907 | CKV2_AWS_37 | resource | aws_lightsail_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 908 | CKV2_AWS_37 | resource | aws_lightsail_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 909 | CKV2_AWS_37 | resource | aws_lightsail_key_pair | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 910 | CKV2_AWS_37 | resource | aws_lightsail_static_ip | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 911 | CKV2_AWS_37 | resource | aws_lightsail_static_ip_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 912 | CKV2_AWS_37 | resource | aws_load_balancer_backend_server_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 913 | CKV2_AWS_37 | resource | aws_load_balancer_listener_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 914 | CKV2_AWS_37 | resource | aws_load_balancer_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 915 | CKV2_AWS_37 | resource | aws_macie_member_account_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 916 | CKV2_AWS_37 | resource | aws_macie_s3_bucket_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 917 | CKV2_AWS_37 | resource | aws_main_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 918 | CKV2_AWS_37 | resource | aws_media_convert_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 919 | CKV2_AWS_37 | resource | aws_media_package_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 920 | CKV2_AWS_37 | resource | aws_media_store_container | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 921 | CKV2_AWS_37 | resource | aws_media_store_container_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 922 | CKV2_AWS_37 | resource | aws_mq_broker | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 923 | CKV2_AWS_37 | resource | aws_mq_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 924 | CKV2_AWS_37 | resource | aws_msk_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 925 | CKV2_AWS_37 | resource | aws_msk_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 926 | CKV2_AWS_37 | resource | aws_nat_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 927 | CKV2_AWS_37 | resource | aws_neptune_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 928 | CKV2_AWS_37 | resource | aws_neptune_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 929 | CKV2_AWS_37 | resource | aws_neptune_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 930 | CKV2_AWS_37 | resource | aws_neptune_cluster_snapshot | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 931 | CKV2_AWS_37 | resource | aws_neptune_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 932 | CKV2_AWS_37 | resource | aws_neptune_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 933 | CKV2_AWS_37 | resource | aws_neptune_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 934 | CKV2_AWS_37 | resource | aws_network_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 935 | CKV2_AWS_37 | resource | aws_network_acl_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 936 | CKV2_AWS_37 | resource | aws_network_interface | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 937 | CKV2_AWS_37 | resource | aws_network_interface_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 938 | CKV2_AWS_37 | resource | aws_network_interface_sg_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 939 | CKV2_AWS_37 | resource | aws_opsworks_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 940 | CKV2_AWS_37 | resource | aws_opsworks_custom_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 941 | CKV2_AWS_37 | resource | aws_opsworks_ganglia_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 942 | CKV2_AWS_37 | resource | aws_opsworks_haproxy_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 943 | CKV2_AWS_37 | resource | aws_opsworks_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 944 | CKV2_AWS_37 | resource | aws_opsworks_java_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 945 | CKV2_AWS_37 | resource | aws_opsworks_memcached_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 946 | CKV2_AWS_37 | resource | aws_opsworks_mysql_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 947 | CKV2_AWS_37 | resource | aws_opsworks_nodejs_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 948 | CKV2_AWS_37 | resource | aws_opsworks_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 949 | CKV2_AWS_37 | resource | aws_opsworks_php_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 950 | CKV2_AWS_37 | resource | aws_opsworks_rails_app_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 951 | CKV2_AWS_37 | resource | aws_opsworks_rds_db_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 952 | CKV2_AWS_37 | resource | aws_opsworks_stack | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 953 | CKV2_AWS_37 | resource | aws_opsworks_static_web_layer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 954 | CKV2_AWS_37 | resource | aws_opsworks_user_profile | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 955 | CKV2_AWS_37 | resource | aws_organizations_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 956 | CKV2_AWS_37 | resource | aws_organizations_organization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 957 | CKV2_AWS_37 | resource | aws_organizations_organizational_unit | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 958 | CKV2_AWS_37 | resource | aws_organizations_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 959 | CKV2_AWS_37 | resource | aws_organizations_policy_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 960 | CKV2_AWS_37 | resource | aws_pinpoint_adm_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 961 | CKV2_AWS_37 | resource | aws_pinpoint_apns_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 962 | CKV2_AWS_37 | resource | aws_pinpoint_apns_sandbox_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 963 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 964 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_sandbox_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 965 | CKV2_AWS_37 | resource | aws_pinpoint_app | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 966 | CKV2_AWS_37 | resource | aws_pinpoint_baidu_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 967 | CKV2_AWS_37 | resource | aws_pinpoint_email_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 968 | CKV2_AWS_37 | resource | aws_pinpoint_event_stream | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 969 | CKV2_AWS_37 | resource | aws_pinpoint_gcm_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 970 | CKV2_AWS_37 | resource | aws_pinpoint_sms_channel | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 971 | CKV2_AWS_37 | resource | aws_placement_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 972 | CKV2_AWS_37 | resource | aws_proxy_protocol_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 973 | CKV2_AWS_37 | resource | aws_qldb_ledger | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 974 | CKV2_AWS_37 | resource | aws_quicksight_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 975 | CKV2_AWS_37 | resource | aws_quicksight_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 976 | CKV2_AWS_37 | resource | aws_ram_principal_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 977 | CKV2_AWS_37 | resource | aws_ram_resource_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 978 | CKV2_AWS_37 | resource | aws_ram_resource_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 979 | CKV2_AWS_37 | resource | aws_ram_resource_share_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 980 | CKV2_AWS_37 | resource | aws_rds_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 981 | CKV2_AWS_37 | resource | aws_rds_cluster_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 982 | CKV2_AWS_37 | resource | aws_rds_cluster_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 983 | CKV2_AWS_37 | resource | aws_rds_cluster_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 984 | CKV2_AWS_37 | resource | aws_rds_global_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 985 | CKV2_AWS_37 | resource | aws_redshift_cluster | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 986 | CKV2_AWS_37 | resource | aws_redshift_event_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 987 | CKV2_AWS_37 | resource | aws_redshift_parameter_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 988 | CKV2_AWS_37 | resource | aws_redshift_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 989 | CKV2_AWS_37 | resource | aws_redshift_snapshot_copy_grant | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 990 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 991 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 992 | CKV2_AWS_37 | resource | aws_redshift_subnet_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 993 | CKV2_AWS_37 | resource | aws_resourcegroups_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 994 | CKV2_AWS_37 | resource | aws_root | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 995 | CKV2_AWS_37 | resource | aws_root_access_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 996 | CKV2_AWS_37 | resource | aws_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 997 | CKV2_AWS_37 | resource | aws_route53_delegation_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 998 | CKV2_AWS_37 | resource | aws_route53_health_check | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 999 | CKV2_AWS_37 | resource | aws_route53_query_log | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1000 | CKV2_AWS_37 | resource | aws_route53_record | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1001 | CKV2_AWS_37 | resource | aws_route53_resolver_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1002 | CKV2_AWS_37 | resource | aws_route53_resolver_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1003 | CKV2_AWS_37 | resource | aws_route53_resolver_rule_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1004 | CKV2_AWS_37 | resource | aws_route53_vpc_association_authorization | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1005 | CKV2_AWS_37 | resource | aws_route53_zone | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1006 | CKV2_AWS_37 | resource | aws_route53_zone_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1007 | CKV2_AWS_37 | resource | aws_route_table | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1008 | CKV2_AWS_37 | resource | aws_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1009 | CKV2_AWS_37 | resource | aws_s3_access_point | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1010 | CKV2_AWS_37 | resource | aws_s3_account_public_access_block | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1011 | CKV2_AWS_37 | resource | aws_s3_bucket | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1012 | CKV2_AWS_37 | resource | aws_s3_bucket_analytics_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1013 | CKV2_AWS_37 | resource | aws_s3_bucket_inventory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1014 | CKV2_AWS_37 | resource | aws_s3_bucket_metric | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1015 | CKV2_AWS_37 | resource | aws_s3_bucket_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1016 | CKV2_AWS_37 | resource | aws_s3_bucket_object | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1017 | CKV2_AWS_37 | resource | aws_s3_bucket_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1018 | CKV2_AWS_37 | resource | aws_s3_bucket_public_access_block | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1019 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1020 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1021 | CKV2_AWS_37 | resource | aws_sagemaker_model | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1022 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1023 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1024 | CKV2_AWS_37 | resource | aws_secretsmanager_secret | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1025 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_rotation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1026 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_version | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1027 | CKV2_AWS_37 | resource | aws_security_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1028 | CKV2_AWS_37 | resource | aws_security_group_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1029 | CKV2_AWS_37 | resource | aws_securityhub_account | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1030 | CKV2_AWS_37 | resource | aws_securityhub_member | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1031 | CKV2_AWS_37 | resource | aws_securityhub_product_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1032 | CKV2_AWS_37 | resource | aws_securityhub_standards_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1033 | CKV2_AWS_37 | resource | aws_service_discovery_http_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1034 | CKV2_AWS_37 | resource | aws_service_discovery_private_dns_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1035 | CKV2_AWS_37 | resource | aws_service_discovery_public_dns_namespace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1036 | CKV2_AWS_37 | resource | aws_service_discovery_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1037 | CKV2_AWS_37 | resource | aws_servicecatalog_portfolio | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1038 | CKV2_AWS_37 | resource | aws_servicequotas_service_quota | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1039 | CKV2_AWS_37 | resource | aws_ses_active_receipt_rule_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1040 | CKV2_AWS_37 | resource | aws_ses_configuration_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1041 | CKV2_AWS_37 | resource | aws_ses_domain_dkim | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1042 | CKV2_AWS_37 | resource | aws_ses_domain_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1043 | CKV2_AWS_37 | resource | aws_ses_domain_identity_verification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1044 | CKV2_AWS_37 | resource | aws_ses_domain_mail_from | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1045 | CKV2_AWS_37 | resource | aws_ses_email_identity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1046 | CKV2_AWS_37 | resource | aws_ses_event_destination | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1047 | CKV2_AWS_37 | resource | aws_ses_identity_notification_topic | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1048 | CKV2_AWS_37 | resource | aws_ses_identity_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1049 | CKV2_AWS_37 | resource | aws_ses_receipt_filter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1050 | CKV2_AWS_37 | resource | aws_ses_receipt_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1051 | CKV2_AWS_37 | resource | aws_ses_receipt_rule_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1052 | CKV2_AWS_37 | resource | aws_ses_template | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1053 | CKV2_AWS_37 | resource | aws_sfn_activity | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1054 | CKV2_AWS_37 | resource | aws_sfn_state_machine | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1055 | CKV2_AWS_37 | resource | aws_shield_protection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1056 | CKV2_AWS_37 | resource | aws_simpledb_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1057 | CKV2_AWS_37 | resource | aws_snapshot_create_volume_permission | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1058 | CKV2_AWS_37 | resource | aws_sns_platform_application | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1059 | CKV2_AWS_37 | resource | aws_sns_sms_preferences | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1060 | CKV2_AWS_37 | resource | aws_sns_topic | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1061 | CKV2_AWS_37 | resource | aws_sns_topic_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1062 | CKV2_AWS_37 | resource | aws_sns_topic_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1063 | CKV2_AWS_37 | resource | aws_spot_datafeed_subscription | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1064 | CKV2_AWS_37 | resource | aws_spot_fleet_request | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1065 | CKV2_AWS_37 | resource | aws_spot_instance_request | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1066 | CKV2_AWS_37 | resource | aws_sqs_queue | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1067 | CKV2_AWS_37 | resource | aws_sqs_queue_policy | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1068 | CKV2_AWS_37 | resource | aws_ssm_activation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1069 | CKV2_AWS_37 | resource | aws_ssm_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1070 | CKV2_AWS_37 | resource | aws_ssm_document | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1071 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1072 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_target | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1073 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_task | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1074 | CKV2_AWS_37 | resource | aws_ssm_parameter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1075 | CKV2_AWS_37 | resource | aws_ssm_patch_baseline | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1076 | CKV2_AWS_37 | resource | aws_ssm_patch_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1077 | CKV2_AWS_37 | resource | aws_ssm_resource_data_sync | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1078 | CKV2_AWS_37 | resource | aws_storagegateway_cache | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1079 | CKV2_AWS_37 | resource | aws_storagegateway_cached_iscsi_volume | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1080 | CKV2_AWS_37 | resource | aws_storagegateway_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1081 | CKV2_AWS_37 | resource | aws_storagegateway_nfs_file_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1082 | CKV2_AWS_37 | resource | aws_storagegateway_smb_file_share | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1083 | CKV2_AWS_37 | resource | aws_storagegateway_upload_buffer | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1084 | CKV2_AWS_37 | resource | aws_storagegateway_working_storage | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1085 | CKV2_AWS_37 | resource | aws_subnet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1086 | CKV2_AWS_37 | resource | aws_swf_domain | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1087 | CKV2_AWS_37 | resource | aws_transfer_server | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1088 | CKV2_AWS_37 | resource | aws_transfer_ssh_key | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1089 | CKV2_AWS_37 | resource | aws_transfer_user | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1090 | CKV2_AWS_37 | resource | aws_volume_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1091 | CKV2_AWS_37 | resource | aws_vpc | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1092 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1093 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1094 | CKV2_AWS_37 | resource | aws_vpc_endpoint | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1095 | CKV2_AWS_37 | resource | aws_vpc_endpoint_connection_notification | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1096 | CKV2_AWS_37 | resource | aws_vpc_endpoint_route_table_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1097 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1098 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service_allowed_principal | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1099 | CKV2_AWS_37 | resource | aws_vpc_endpoint_subnet_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1100 | CKV2_AWS_37 | resource | aws_vpc_ipv4_cidr_block_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1101 | CKV2_AWS_37 | resource | aws_vpc_peering_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1102 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_accepter | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1103 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_options | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1104 | CKV2_AWS_37 | resource | aws_vpn_connection | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1105 | CKV2_AWS_37 | resource | aws_vpn_connection_route | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1106 | CKV2_AWS_37 | resource | aws_vpn_gateway | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1107 | CKV2_AWS_37 | resource | aws_vpn_gateway_attachment | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1108 | CKV2_AWS_37 | resource | aws_vpn_gateway_route_propagation | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1109 | CKV2_AWS_37 | resource | aws_waf_byte_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1110 | CKV2_AWS_37 | resource | aws_waf_geo_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1111 | CKV2_AWS_37 | resource | aws_waf_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1112 | CKV2_AWS_37 | resource | aws_waf_rate_based_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1113 | CKV2_AWS_37 | resource | aws_waf_regex_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1114 | CKV2_AWS_37 | resource | aws_waf_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1115 | CKV2_AWS_37 | resource | aws_waf_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1116 | CKV2_AWS_37 | resource | aws_waf_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1117 | CKV2_AWS_37 | resource | aws_waf_size_constraint_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1118 | CKV2_AWS_37 | resource | aws_waf_sql_injection_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1119 | CKV2_AWS_37 | resource | aws_waf_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1120 | CKV2_AWS_37 | resource | aws_waf_xss_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1121 | CKV2_AWS_37 | resource | aws_wafregional_byte_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1122 | CKV2_AWS_37 | resource | aws_wafregional_geo_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1123 | CKV2_AWS_37 | resource | aws_wafregional_ipset | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1124 | CKV2_AWS_37 | resource | aws_wafregional_rate_based_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1125 | CKV2_AWS_37 | resource | aws_wafregional_regex_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1126 | CKV2_AWS_37 | resource | aws_wafregional_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1127 | CKV2_AWS_37 | resource | aws_wafregional_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1128 | CKV2_AWS_37 | resource | aws_wafregional_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1129 | CKV2_AWS_37 | resource | aws_wafregional_size_constraint_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1130 | CKV2_AWS_37 | resource | aws_wafregional_sql_injection_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1131 | CKV2_AWS_37 | resource | aws_wafregional_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1132 | CKV2_AWS_37 | resource | aws_wafregional_web_acl_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1133 | CKV2_AWS_37 | resource | aws_wafregional_xss_match_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1134 | CKV2_AWS_37 | resource | aws_wafv2_ip_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1135 | CKV2_AWS_37 | resource | aws_wafv2_regex_pattern_set | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1136 | CKV2_AWS_37 | resource | aws_wafv2_rule_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1137 | CKV2_AWS_37 | resource | aws_wafv2_web_acl | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1138 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1139 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_logging_configuration | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1140 | CKV2_AWS_37 | resource | aws_worklink_fleet | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1141 | CKV2_AWS_37 | resource | aws_worklink_website_certificate_authority_association | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1142 | CKV2_AWS_37 | resource | aws_workspaces_directory | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1143 | CKV2_AWS_37 | resource | aws_workspaces_ip_group | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1144 | CKV2_AWS_37 | resource | aws_workspaces_workspace | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1145 | CKV2_AWS_37 | resource | aws_xray_sampling_rule | Ensure Codecommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1146 | CKV2_AWS_38 | resource | aws_route53_zone | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml) | +| 1147 | CKV2_AWS_39 | resource | aws_route53_zone | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml) | +| 1148 | CKV2_AWS_40 | resource | aws_iam_group_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1149 | CKV2_AWS_40 | resource | aws_iam_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1150 | CKV2_AWS_40 | resource | aws_iam_role_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1151 | CKV2_AWS_40 | resource | aws_iam_user_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1152 | CKV2_AWS_40 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1153 | CKV2_AWS_40 | resource | data.aws_iam_policy_document | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1154 | CKV2_AWS_41 | resource | aws_instance | Ensure an IAM role is attached to EC2 instance | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml) | +| 1155 | CKV2_AWS_42 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution uses custom SSL certificate | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml) | +| 1156 | CKV2_AWS_43 | resource | aws_s3_bucket_acl | Ensure S3 Bucket does not allow access to all Authenticated users | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml) | +| 1157 | CKV2_AWS_44 | resource | aws_route | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | +| 1158 | CKV2_AWS_44 | resource | aws_route_table | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | +| 1159 | CKV2_AWS_45 | resource | aws_config_configuration_recorder | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | +| 1160 | CKV2_AWS_45 | resource | aws_config_configuration_recorder_status | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | +| 1161 | CKV2_AWS_46 | resource | aws_cloudfront_distribution | Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml) | +| 1162 | CKV2_AWS_47 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | +| 1163 | CKV2_AWS_47 | resource | aws_wafv2_web_acl | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | +| 1164 | CKV2_AWS_48 | resource | aws_config_configuration_recorder | Ensure AWS Config must record all possible resources | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml) | +| 1165 | CKV2_AWS_49 | resource | aws_dms_endpoint | Ensure AWS Database Migration Service endpoints have SSL configured | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) | +| 1166 | CKV2_AWS_50 | resource | aws_elasticache_replication_group | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml) | +| 1167 | CKV2_AWS_51 | resource | aws_api_gateway_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1168 | CKV2_AWS_51 | resource | aws_apigatewayv2_api | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1169 | CKV2_AWS_51 | resource | aws_apigatewayv2_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1170 | CKV2_AWS_52 | resource | aws_elasticsearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | +| 1171 | CKV2_AWS_52 | resource | aws_opensearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | +| 1172 | CKV2_AWS_53 | resource | aws_api_gateway_method | Ensure AWS API gateway request is validated | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml) | +| 1173 | CKV2_AWS_54 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml) | +| 1174 | CKV2_AWS_55 | resource | aws_emr_cluster | Ensure AWS EMR cluster is configured with security configuration | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml) | +| 1175 | CKV2_AWS_56 | resource | aws_iam_group_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1176 | CKV2_AWS_56 | resource | aws_iam_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1177 | CKV2_AWS_56 | resource | aws_iam_role | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1178 | CKV2_AWS_56 | resource | aws_iam_role_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1179 | CKV2_AWS_56 | resource | aws_iam_user_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1180 | CKV2_AWS_56 | resource | aws_ssoadmin_managed_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1181 | CKV2_AWS_56 | resource | data.aws_iam_policy | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1182 | CKV2_AWS_57 | resource | aws_secretsmanager_secret | Ensure Secrets Manager secrets should have automatic rotation enabled | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml) | +| 1183 | CKV2_AWS_58 | resource | aws_neptune_cluster | Ensure AWS Neptune cluster deletion protection is enabled | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml) | +| 1184 | CKV2_AWS_59 | resource | aws_elasticsearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | +| 1185 | CKV2_AWS_59 | resource | aws_opensearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | +| 1186 | CKV2_AWS_60 | resource | aws_db_instance | Ensure RDS instance with copy tags to snapshots is enabled | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml) | +| 1187 | CKV2_AWS_61 | resource | aws_s3_bucket | Ensure that an S3 bucket has a lifecycle configuration | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml) | +| 1188 | CKV2_AWS_62 | resource | aws_s3_bucket | Ensure S3 buckets should have event notifications enabled | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml) | +| 1189 | CKV2_AWS_63 | resource | aws_networkfirewall_firewall | Ensure Network firewall has logging configuration defined | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml) | +| 1190 | CKV2_AWS_64 | resource | aws_kms_key | Ensure KMS key Policy is defined | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml) | +| 1191 | CKV2_AWS_65 | resource | aws_s3_bucket_ownership_controls | Ensure access control lists for S3 buckets are disabled | Terraform | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml) | +| 1192 | CKV2_AWS_66 | resource | aws_mwaa_environment | Ensure MWAA environment is not publicly accessible | Terraform | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml) | +| 1193 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | +| 1194 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | +| 1195 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py) | +| 1196 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'enable_https_traffic_only' is enabled | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py) | +| 1197 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py) | +| 1198 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py) | +| 1199 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py) | +| 1200 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py) | +| 1201 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py) | +| 1202 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | +| 1203 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | +| 1204 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | +| 1205 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | +| 1206 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1207 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1208 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1209 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1210 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py) | +| 1211 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1212 | CKV_AZURE_13 | resource | azurerm_linux_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1213 | CKV_AZURE_13 | resource | azurerm_windows_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1214 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1215 | CKV_AZURE_14 | resource | azurerm_linux_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1216 | CKV_AZURE_14 | resource | azurerm_windows_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1217 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1218 | CKV_AZURE_15 | resource | azurerm_linux_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1219 | CKV_AZURE_15 | resource | azurerm_windows_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1220 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1221 | CKV_AZURE_16 | resource | azurerm_linux_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1222 | CKV_AZURE_16 | resource | azurerm_windows_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1223 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1224 | CKV_AZURE_17 | resource | azurerm_linux_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1225 | CKV_AZURE_17 | resource | azurerm_windows_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1226 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1227 | CKV_AZURE_18 | resource | azurerm_linux_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1228 | CKV_AZURE_18 | resource | azurerm_windows_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1229 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py) | +| 1230 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py) | +| 1231 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py) | +| 1232 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py) | +| 1233 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1234 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1235 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1236 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1237 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1238 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1239 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py) | +| 1240 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py) | +| 1241 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py) | +| 1242 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py) | +| 1243 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py) | +| 1244 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1245 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py) | +| 1246 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1247 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py) | +| 1248 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py) | +| 1249 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1250 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1251 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1252 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1253 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py) | +| 1254 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py) | +| 1255 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py) | +| 1256 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py) | +| 1257 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py) | +| 1258 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py) | +| 1259 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py) | +| 1260 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py) | +| 1261 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py) | +| 1262 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py) | +| 1263 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py) | +| 1264 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py) | +| 1265 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | +| 1266 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | +| 1267 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py) | +| 1268 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py) | +| 1269 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py) | +| 1270 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py) | +| 1271 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py) | +| 1272 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1273 | CKV_AZURE_57 | resource | azurerm_linux_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1274 | CKV_AZURE_57 | resource | azurerm_windows_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1275 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 1276 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py) | +| 1277 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py) | +| 1278 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py) | +| 1279 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1280 | CKV_AZURE_63 | resource | azurerm_linux_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1281 | CKV_AZURE_63 | resource | azurerm_windows_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1282 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py) | +| 1283 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1284 | CKV_AZURE_65 | resource | azurerm_linux_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1285 | CKV_AZURE_65 | resource | azurerm_windows_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1286 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1287 | CKV_AZURE_66 | resource | azurerm_linux_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1288 | CKV_AZURE_66 | resource | azurerm_windows_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1289 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | +| 1290 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | +| 1291 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py) | +| 1292 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py) | +| 1293 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1294 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1295 | CKV_AZURE_71 | resource | azurerm_linux_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1296 | CKV_AZURE_71 | resource | azurerm_windows_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1297 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1298 | CKV_AZURE_72 | resource | azurerm_linux_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1299 | CKV_AZURE_72 | resource | azurerm_windows_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1300 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1301 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1302 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1303 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1304 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py) | +| 1305 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py) | +| 1306 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py) | +| 1307 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | +| 1308 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | +| 1309 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1310 | CKV_AZURE_78 | resource | azurerm_linux_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1311 | CKV_AZURE_78 | resource | azurerm_windows_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1312 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py) | +| 1313 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | +| 1314 | CKV_AZURE_80 | resource | azurerm_windows_web_app | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | +| 1315 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py) | +| 1316 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py) | +| 1317 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py) | +| 1318 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py) | +| 1319 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py) | +| 1320 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py) | +| 1321 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py) | +| 1322 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1323 | CKV_AZURE_88 | resource | azurerm_linux_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1324 | CKV_AZURE_88 | resource | azurerm_windows_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1325 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py) | +| 1326 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py) | +| 1327 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | +| 1328 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | +| 1329 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py) | +| 1330 | CKV_AZURE_94 | resource | azurerm_mysql_flexible_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | +| 1331 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | +| 1332 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 1333 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | [MySQLEncryptionEnaled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnaled.py) | +| 1334 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | +| 1335 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | +| 1336 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py) | +| 1337 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py) | +| 1338 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py) | +| 1339 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py) | +| 1340 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py) | +| 1341 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py) | +| 1342 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py) | +| 1343 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py) | +| 1344 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py) | +| 1345 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py) | +| 1346 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py) | +| 1347 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py) | +| 1348 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py) | +| 1349 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py) | +| 1350 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py) | +| 1351 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py) | +| 1352 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py) | +| 1353 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py) | +| 1354 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py) | +| 1355 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py) | +| 1356 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py) | +| 1357 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml) | +| 1358 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | +| 1359 | CKV_AZURE_120 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | +| 1360 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py) | +| 1361 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py) | +| 1362 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py) | +| 1363 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py) | +| 1364 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py) | +| 1365 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py) | +| 1366 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py) | +| 1367 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py) | +| 1368 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py) | +| 1369 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py) | +| 1370 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py) | +| 1371 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py) | +| 1372 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py) | +| 1373 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py) | +| 1374 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py) | +| 1375 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py) | +| 1376 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py) | +| 1377 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py) | +| 1378 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py) | +| 1379 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py) | +| 1380 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py) | +| 1381 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py) | +| 1382 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py) | +| 1383 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py) | +| 1384 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1385 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py) | +| 1386 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py) | +| 1387 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py) | +| 1388 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | +| 1389 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | +| 1390 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py) | +| 1391 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | +| 1392 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | +| 1393 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1394 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | +| 1395 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | +| 1396 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | +| 1397 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | +| 1398 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | +| 1399 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1400 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1401 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1402 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1403 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | +| 1404 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | +| 1405 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | +| 1406 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | +| 1407 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | +| 1408 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | +| 1409 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | +| 1410 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1411 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1412 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | +| 1413 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | +| 1414 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | +| 1415 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | +| 1416 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | +| 1417 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | +| 1418 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | +| 1419 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | +| 1420 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1421 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1422 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1423 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1424 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1425 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1426 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1427 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1428 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | +| 1429 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | +| 1430 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1431 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1432 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | +| 1433 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | +| 1434 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | +| 1435 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | +| 1436 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | +| 1437 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | +| 1438 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | +| 1439 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | +| 1440 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | +| 1441 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | +| 1442 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | +| 1443 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | +| 1444 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | +| 1445 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | +| 1446 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | +| 1447 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | +| 1448 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | +| 1449 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | +| 1450 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | +| 1451 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | +| 1452 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | +| 1453 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | +| 1454 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | +| 1455 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | +| 1456 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | +| 1457 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | +| 1458 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | +| 1459 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | +| 1460 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | +| 1461 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | +| 1462 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1463 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1464 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1465 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1466 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1467 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | +| 1468 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | +| 1469 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | +| 1470 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | +| 1471 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | +| 1472 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | +| 1473 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1474 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1475 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1476 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1477 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1478 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1479 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | +| 1480 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | +| 1481 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | +| 1482 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | +| 1483 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1484 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1485 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | +| 1486 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1487 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1488 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1489 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1490 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1491 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1492 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1493 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1494 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1495 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1496 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1497 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1498 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1499 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1500 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 1501 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 1502 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | +| 1503 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1504 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1505 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1506 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | +| 1507 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 1508 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 1509 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | +| 1510 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | +| 1511 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 1512 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 1513 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 1514 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 1515 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | +| 1516 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 1517 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 1518 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 1519 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 1520 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | +| 1521 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1522 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1523 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1524 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1525 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1526 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1527 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 1528 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 1529 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | +| 1530 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | +| 1531 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | +| 1532 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | +| 1533 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | +| 1534 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | +| 1535 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | +| 1536 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | +| 1537 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | +| 1538 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | +| 1539 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | +| 1540 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | +| 1541 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | +| 1542 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | +| 1543 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | +| 1544 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | +| 1545 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | +| 1546 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | +| 1547 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | +| 1548 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | +| 1549 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | +| 1550 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | +| 1551 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | +| 1552 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | +| 1553 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | +| 1554 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | +| 1555 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | +| 1556 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | +| 1557 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | +| 1558 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | +| 1559 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | +| 1560 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | +| 1561 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | +| 1562 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | +| 1563 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | +| 1564 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | +| 1565 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | +| 1566 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | +| 1567 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py) | +| 1568 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | +| 1569 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | +| 1570 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | +| 1571 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | +| 1572 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | +| 1573 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | +| 1574 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | +| 1575 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | +| 1576 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 1577 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 1578 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | +| 1579 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1580 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1581 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1582 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1583 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1584 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1585 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1586 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1587 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1588 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | +| 1589 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1590 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1591 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1592 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1593 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1594 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1595 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1596 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1597 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1598 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | +| 1599 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | +| 1600 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1601 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1602 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1603 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1604 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1605 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1606 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 1607 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 1608 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | +| 1609 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | +| 1610 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 1611 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 1612 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 1613 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 1614 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 1615 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 1616 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 1617 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 1618 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 1619 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 1620 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 1621 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 1622 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | +| 1623 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | +| 1624 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | +| 1625 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | +| 1626 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | +| 1627 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | +| 1628 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | +| 1629 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | +| 1630 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | +| 1631 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | +| 1632 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | +| 1633 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | +| 1634 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | +| 1635 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | +| 1636 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | +| 1637 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | +| 1638 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | +| 1639 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 1640 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 1641 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 1642 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 1643 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | +| 1644 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | +| 1645 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 1646 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 1647 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | +| 1648 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | +| 1649 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | +| 1650 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | +| 1651 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | +| 1652 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | +| 1653 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | +| 1654 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | +| 1655 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | +| 1656 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | +| 1657 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | +| 1658 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | +| 1659 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | +| 1660 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | +| 1661 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | +| 1662 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | +| 1663 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | +| 1664 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | +| 1665 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | +| 1666 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | +| 1667 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | +| 1668 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | +| 1669 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | +| 1670 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | +| 1671 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | +| 1672 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 1673 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 1674 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 1675 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 1676 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 1677 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 1678 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 1679 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 1680 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 1681 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 1682 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | +| 1683 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | +| 1684 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | +| 1685 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | +| 1686 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1687 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1688 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1689 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1690 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | +| 1691 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | +| 1692 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | +| 1693 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | +| 1694 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1695 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1696 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1697 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | +| 1698 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | +| 1699 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 1700 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 1701 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 1702 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 1703 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 1704 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 1705 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | +| 1706 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | +| 1707 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | +| 1708 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | +| 1709 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1710 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1711 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1712 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1713 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 1714 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 1715 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1716 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1717 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1718 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 1719 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 1720 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1721 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1722 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1723 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1724 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1725 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1726 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | +| 1727 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | +| 1728 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | +| 1729 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | +| 1730 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | +| 1731 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | +| 1732 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | +| 1733 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | +| 1734 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | +| 1735 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | +| 1736 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | +| 1737 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | +| 1738 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | +| 1739 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | +| 1740 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1741 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1742 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1743 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 1744 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 1745 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 1746 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 1747 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | +| 1748 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | +| 1749 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | +| 1750 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | +| 1751 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | +| 1752 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | +| 1753 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | +| 1754 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | +| 1755 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | +| 1756 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | +| 1757 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | +| 1758 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | +| 1759 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1760 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1761 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1762 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1763 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1764 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1765 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1766 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1767 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1768 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1769 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1770 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1771 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1772 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1773 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1774 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1775 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1776 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1777 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1778 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1779 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1780 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1781 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1782 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1783 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1784 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1785 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1786 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1787 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1788 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1789 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1790 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1791 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1792 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1793 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1794 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1795 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1796 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1797 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1798 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1799 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1800 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1801 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1802 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1803 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1804 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1805 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1806 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1807 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1808 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1809 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1810 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1811 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1812 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1813 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1814 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1815 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1816 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1817 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1818 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1819 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1820 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1821 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1822 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1823 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1824 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1825 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1826 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1827 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1828 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1829 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1830 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1831 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1832 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1833 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1834 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1835 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1836 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1837 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1838 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1839 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1840 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1841 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | +| 1842 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1843 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1844 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1845 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1846 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1847 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1848 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1849 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1850 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1851 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1852 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1853 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1854 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1855 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1856 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1857 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1858 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1859 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1860 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1861 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1862 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1863 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1864 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1865 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1866 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1867 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1868 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1869 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1870 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | +| 1871 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1872 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1873 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1874 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1875 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1876 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1877 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1878 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1879 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | +| 1880 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1881 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1882 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1883 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1884 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1885 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1886 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1887 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1888 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 1889 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 1890 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1891 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1892 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1893 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1894 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1895 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1896 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1897 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1898 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 1899 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 1900 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1901 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1902 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1903 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1904 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | +| 1905 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | +| 1906 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | +| 1907 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | +| 1908 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | +| 1909 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | +| 1910 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | +| 1911 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 1912 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 1913 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | +| 1914 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | +| 1915 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | +| 1916 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | +| 1917 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | +| 1918 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | +| 1919 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | +| 1920 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | +| 1921 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | +| 1922 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | +| 1923 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | +| 1924 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | +| 1925 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | +| 1926 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | +| 1927 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 1928 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 1929 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | +| 1930 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | +| 1931 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | +| 1932 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 1933 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 1934 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | +| 1935 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | +| 1936 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | +| 1937 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | +| 1938 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | +| 1939 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | +| 1940 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | +| 1941 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | +| 1942 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | +| 1943 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | +| 1944 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | +| 1945 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | +| 1946 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | +| 1947 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | +| 1948 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | +| 1949 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | +| 1950 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | +| 1951 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | +| 1952 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | +| 1953 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | +| 1954 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | +| 1955 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | +| 1956 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | +| 1957 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | +| 1958 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | +| 1959 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | +| 1960 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 1961 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 1962 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 1963 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | +| 1964 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | +| 1965 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | +| 1966 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | +| 1967 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | +| 1968 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | +| 1969 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 1970 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 1971 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 1972 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 1973 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | +| 1974 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | +| 1975 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | +| 1976 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | +| 1977 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | +| 1978 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 1979 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 1980 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 1981 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 1982 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 1983 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 1984 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 1985 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 1986 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 1987 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 1988 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 1989 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 1990 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 1991 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 1992 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 1993 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 1994 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 1995 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 1996 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 1997 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 1998 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 1999 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 2000 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 2001 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 2002 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 2003 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | +| 2004 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2005 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2006 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2007 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2008 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2009 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2010 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2011 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2012 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2013 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | +| 2014 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | +| 2015 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | +| 2016 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | +| 2017 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | +| 2018 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | +| 2019 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | +| 2020 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | +| 2021 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | +| 2022 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | +| 2023 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2024 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2025 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2026 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2027 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2028 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2029 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2030 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2031 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 2032 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 2033 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | +| 2034 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | +| 2035 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | +| 2036 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | +| 2037 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | +| 2038 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | +| 2039 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | +| 2040 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 2041 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 2042 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | +| 2043 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 2044 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 2045 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2046 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2047 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2048 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2049 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2050 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | --- diff --git a/docs/7.Scan Examples/Terraform.md b/docs/7.Scan Examples/Terraform.md index 3c04fe72fce..3e9c7272c43 100644 --- a/docs/7.Scan Examples/Terraform.md +++ b/docs/7.Scan Examples/Terraform.md @@ -44,6 +44,13 @@ To adjust the download path you can leverage the flag `--external-modules-downlo checkov -d . --download-external-modules true --external-modules-download-path example/path ``` +> [!NOTE] +> **Experimental** +> By setting the env var `CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES=True` instead of downloading external modules `checkov` will use the ones already downloaded by Terraform stored in `.terraform` folder. This only works for scans of the root folder, where also `terraform init` was executed. +> ```shell +> CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES=True checkov -d . +> ``` + ### Scanning Private Terraform Modules If you have modules stored in a private repository or a private Terraform registry (hosted on Terraform Cloud, Terraform Enterprise or a third-party provider like GitLab), you can grant Checkov access by providing access tokens as environment variables. This will enable Checkov to attempt to clone and scan those modules. diff --git a/extra_stubs/boolean/__init__.pyi b/extra_stubs/boolean/__init__.pyi new file mode 100644 index 00000000000..9138bdd97db --- /dev/null +++ b/extra_stubs/boolean/__init__.pyi @@ -0,0 +1,6 @@ +from .boolean import BooleanAlgebra, Expression + +__all__ = [ + "BooleanAlgebra", + "Expression", +] diff --git a/extra_stubs/boolean/boolean.py b/extra_stubs/boolean/boolean.py new file mode 100644 index 00000000000..f294ff50749 --- /dev/null +++ b/extra_stubs/boolean/boolean.py @@ -0,0 +1,6 @@ +class BooleanAlgebra: + ... + + +class Expression: + ... diff --git a/extra_stubs/license_expression/__init__.pyi b/extra_stubs/license_expression/__init__.pyi new file mode 100644 index 00000000000..f7b4e4e6df9 --- /dev/null +++ b/extra_stubs/license_expression/__init__.pyi @@ -0,0 +1,16 @@ +from pathlib import Path +from typing import Any + +from boolean import BooleanAlgebra, Expression as LicenseExpression + +class Licensing(BooleanAlgebra): + def parse( + self, + expression: bytes | str | LicenseExpression | None, + validate: bool = ..., + strict: bool = ..., + simple: bool = ..., + **kwargs: Any, + ) -> LicenseExpression | None: ... + +def get_spdx_licensing(license_index_location: str | Path = ...) -> Licensing: ... diff --git a/integration_tests/prepare_data.sh b/integration_tests/prepare_data.sh index de822f8b1fb..6cd8c59ba4d 100755 --- a/integration_tests/prepare_data.sh +++ b/integration_tests/prepare_data.sh @@ -29,7 +29,7 @@ else fi -if [[ "$2" == "3.7" && "$1" == "ubuntu-latest" ]] +if [[ "$2" == "3.8" && "$1" == "ubuntu-latest" ]] then pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt diff --git a/kubernetes/Dockerfile b/kubernetes/Dockerfile index 87372188586..f990e0242f9 100644 --- a/kubernetes/Dockerfile +++ b/kubernetes/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10-slim +FROM python:3.11-slim ENV RUN_IN_DOCKER=True diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 2c9d44ee40c..469dc3e56f4 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.4.29 +checkov==2.5.11 diff --git a/mypy.ini b/mypy.ini index 02290e54232..ae4635cd329 100644 --- a/mypy.ini +++ b/mypy.ini @@ -2,7 +2,7 @@ mypy_path = extra_stubs files = checkov -exclude = checkov/(arm/checks|cloudformation/checks|kubernetes/checks|serverless|terraform/(checks|plan_runner.py)) +exclude = checkov/(arm/checks|cloudformation/checks|kubernetes/checks|serverless|terraform/checks) strict = True disallow_subclassing_any = False implicit_reexport = True @@ -11,9 +11,6 @@ show_error_codes = True [mypy-configargparse.*] ignore_missing_imports = True -[mypy-deep_merge.*] -ignore_missing_imports = True - [mypy-docker.*] ignore_missing_imports = True @@ -26,8 +23,5 @@ ignore_missing_imports = True [mypy-networkx.*] ignore_missing_imports = True -[mypy-license_expression.*] -ignore_missing_imports = True - [mypy-checkov.*] follow_imports = skip diff --git a/setup.py b/setup.py index 4e53dfc56ca..c5e02696da5 100644 --- a/setup.py +++ b/setup.py @@ -68,7 +68,6 @@ def run(self) -> None: "bc-python-hcl2==0.3.51", "bc-detect-secrets==1.4.30", "bc-jsonpath-ng==1.5.9", - "deep-merge", "tabulate", "colorama", "termcolor", @@ -111,12 +110,13 @@ def run(self) -> None: "openai", "spdx-tools>=0.8.0,<0.9.0", "license-expression", + "rustworkx", ], dependency_links=[], # keep it empty, needed for pipenv-setup license="Apache License 2.0", name="checkov", version=version, - python_requires=">=3.7", + python_requires=">=3.8", description="Infrastructure as code static analysis", author="bridgecrew", author_email="meet@bridgecrew.io", @@ -152,7 +152,6 @@ def run(self) -> None: "Intended Audience :: System Administrators", "License :: OSI Approved :: Apache Software License", "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", diff --git a/tests/ansible/checks/graph_checks/test_yaml_policies.py b/tests/ansible/checks/graph_checks/test_yaml_policies.py index fc115cee0e6..98257d4adb7 100644 --- a/tests/ansible/checks/graph_checks/test_yaml_policies.py +++ b/tests/ansible/checks/graph_checks/test_yaml_policies.py @@ -1,11 +1,9 @@ -import os import warnings from pathlib import Path from typing import List from parameterized import parameterized_class -from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector -from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector +from tests.graph_utils.utils import set_db_connector_by_graph_framework, PARAMETERIZED_GRAPH_FRAMEWORKS from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.models.enums import CheckResult @@ -17,17 +15,10 @@ from tests.common.graph.checks.test_yaml_policies_base import TestYamlPoliciesBase -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestYamlPolicies(TestYamlPoliciesBase): def __init__(self, args): - db_connector = None - if self.graph_framework == 'NETWORKX': - db_connector = NetworkxConnector() - elif self.graph_framework == 'IGRAPH': - db_connector = IgraphConnector() + db_connector = set_db_connector_by_graph_framework(self.graph_framework) graph_manager = ObjectGraphManager(db_connector=db_connector, source="Ansible") super().__init__( graph_manager=graph_manager, diff --git a/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceEnableFailedRequest-failed.json b/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceEnableFailedRequest-failed.json new file mode 100644 index 00000000000..ea719840ea4 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceEnableFailedRequest-failed.json @@ -0,0 +1,189 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "sites_pike_name": { + "defaultValue": "pike", + "type": "String" + }, + "serverfarms_example_serviceplan_externalid": { + "defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.Web/serverfarms/example-serviceplan", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "[parameters('sites_pike_name')]", + "location": "UK South", + "kind": "app,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "enabled": true, + "hostNameSslStates": [ + { + "name": "[concat(parameters('sites_pike_name'), '.azurewebsites.net')]", + "sslState": "Disabled", + "hostType": "Standard" + }, + { + "name": "[concat(parameters('sites_pike_name'), '.scm.azurewebsites.net')]", + "sslState": "Disabled", + "hostType": "Repository" + } + ], + "serverFarmId": "[parameters('serverfarms_example_serviceplan_externalid')]", + "reserved": true, + "isXenon": false, + "hyperV": false, + "vnetRouteAllEnabled": false, + "vnetImagePullEnabled": false, + "vnetContentShareEnabled": false, + "siteConfig": { + "numberOfWorkers": 1, + "acrUseManagedIdentityCreds": false, + "alwaysOn": false, + "http20Enabled": true, + "functionAppScaleLimit": 0, + "minimumElasticInstanceCount": 0 + }, + "scmSiteAlsoStopped": false, + "clientAffinityEnabled": false, + "clientCertEnabled": true, + "clientCertMode": "Required", + "hostNamesDisabled": false, + "customDomainVerificationId": "B37B5768F8409B36E596577BDBC882653FCC6A7FD697EBEE151AB7C532C897E5", + "containerSize": 0, + "dailyMemoryTimeQuota": 0, + "httpsOnly": true, + "redundancyMode": "None", + "storageAccountRequired": false, + "keyVaultReferenceIdentity": "SystemAssigned" + } + }, + { + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/ftp')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "allow": true + } + }, + { + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/scm')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "allow": true + } + }, + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2022-09-01", + "name": "failed", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "numberOfWorkers": 1, + "defaultDocuments": [], + "netFrameworkVersion": "v4.0", + "requestTracingEnabled": false, + "requestTracingExpirationTime": "9999-12-31T23:59:00Z", + "remoteDebuggingEnabled": false, + "remoteDebuggingVersion": "VS2019", + "httpLoggingEnabled": true, + "acrUseManagedIdentityCreds": false, + "logsDirectorySizeLimit": 25, + "detailedErrorLoggingEnabled": true, + "publishingUsername": "$pike", + "scmType": "None", + "use32BitWorkerProcess": false, + "webSocketsEnabled": false, + "alwaysOn": false, + "managedPipelineMode": "Integrated", + "virtualApplications": [ + { + "virtualPath": "/", + "physicalPath": "site\\wwwroot", + "preloadEnabled": false + } + ], + "loadBalancing": "LeastRequests", + "experiments": { + "rampUpRules": [] + }, + "autoHealEnabled": false, + "vnetRouteAllEnabled": false, + "vnetPrivatePortsCount": 0, + "cors": { + "supportCredentials": false + }, + "localMySqlEnabled": false, + "managedServiceIdentityId": 484, + "ipSecurityRestrictions": [ + { + "ipAddress": "Any", + "action": "Allow", + "priority": 2147483647, + "name": "Allow all", + "description": "Allow all access" + } + ], + "scmIpSecurityRestrictions": [ + { + "ipAddress": "Any", + "action": "Allow", + "priority": 2147483647, + "name": "Allow all", + "description": "Allow all access" + } + ], + "scmIpSecurityRestrictionsUseMain": false, + "http20Enabled": true, + "minTlsVersion": "1.2", + "scmMinTlsVersion": "1.2", + "ftpsState": "FtpsOnly", + "preWarmedInstanceCount": 0, + "elasticWebAppScaleLimit": 0, + "healthCheckPath": "/health", + "functionsRuntimeScaleMonitoringEnabled": false, + "minimumElasticInstanceCount": 0, + "azureStorageAccounts": { + "shady": { + "type": "AzureBlob", + "accountName": "piketest", + "shareName": "pike", + "mountPath": "/mount/shady" + } + } + } + }, + { + "type": "Microsoft.Web/sites/hostNameBindings", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/', parameters('sites_pike_name'), '.azurewebsites.net')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "siteName": "pike", + "hostNameType": "Verified" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceEnableFailedRequest-failed2.json b/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceEnableFailedRequest-failed2.json new file mode 100644 index 00000000000..16ff9d8c8ee --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceEnableFailedRequest-failed2.json @@ -0,0 +1,181 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "sites_pike_name": { + "defaultValue": "pike", + "type": "String" + }, + "serverfarms_example_serviceplan_externalid": { + "defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.Web/serverfarms/example-serviceplan", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "[parameters('sites_pike_name')]", + "location": "UK South", + "kind": "app,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "enabled": true, + "hostNameSslStates": [ + { + "name": "[concat(parameters('sites_pike_name'), '.azurewebsites.net')]", + "sslState": "Disabled", + "hostType": "Standard" + }, + { + "name": "[concat(parameters('sites_pike_name'), '.scm.azurewebsites.net')]", + "sslState": "Disabled", + "hostType": "Repository" + } + ], + "serverFarmId": "[parameters('serverfarms_example_serviceplan_externalid')]", + "reserved": true, + "isXenon": false, + "hyperV": false, + "vnetRouteAllEnabled": false, + "vnetImagePullEnabled": false, + "vnetContentShareEnabled": false, + "siteConfig": { + "numberOfWorkers": 1, + "acrUseManagedIdentityCreds": false, + "alwaysOn": false, + "http20Enabled": true, + "functionAppScaleLimit": 0, + "minimumElasticInstanceCount": 0 + }, + "scmSiteAlsoStopped": false, + "clientAffinityEnabled": false, + "clientCertEnabled": true, + "clientCertMode": "Required", + "hostNamesDisabled": false, + "customDomainVerificationId": "B37B5768F8409B36E596577BDBC882653FCC6A7FD697EBEE151AB7C532C897E5", + "containerSize": 0, + "dailyMemoryTimeQuota": 0, + "httpsOnly": true, + "redundancyMode": "None", + "storageAccountRequired": false, + "keyVaultReferenceIdentity": "SystemAssigned" + } + }, + { + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/ftp')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "allow": true + } + }, + { + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/scm')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "allow": true + } + }, + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2022-09-01", + "name": "failed2", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "numberOfWorkers": 1, + "defaultDocuments": [], + "netFrameworkVersion": "v4.0", + "requestTracingEnabled": false, + "requestTracingExpirationTime": "9999-12-31T23:59:00Z", + "remoteDebuggingEnabled": false, + "remoteDebuggingVersion": "VS2019", + "httpLoggingEnabled": true, + "acrUseManagedIdentityCreds": false, + "logsDirectorySizeLimit": 25, + "detailedErrorLoggingEnabled": true, + "publishingUsername": "$pike", + "scmType": "None", + "use32BitWorkerProcess": false, + "webSocketsEnabled": false, + "alwaysOn": false, + "managedPipelineMode": "Integrated", + "virtualApplications": [ + { + "virtualPath": "/", + "physicalPath": "site\\wwwroot", + "preloadEnabled": false + } + ], + "loadBalancing": "LeastRequests", + "experiments": { + "rampUpRules": [] + }, + "autoHealEnabled": false, + "vnetRouteAllEnabled": false, + "vnetPrivatePortsCount": 0, + "cors": { + "supportCredentials": false + }, + "localMySqlEnabled": false, + "managedServiceIdentityId": 484, + "ipSecurityRestrictions": [ + { + "ipAddress": "Any", + "action": "Allow", + "priority": 2147483647, + "name": "Allow all", + "description": "Allow all access" + } + ], + "scmIpSecurityRestrictions": [ + { + "ipAddress": "Any", + "action": "Allow", + "priority": 2147483647, + "name": "Allow all", + "description": "Allow all access" + } + ], + "scmIpSecurityRestrictionsUseMain": false, + "http20Enabled": true, + "minTlsVersion": "1.2", + "scmMinTlsVersion": "1.2", + "ftpsState": "FtpsOnly", + "preWarmedInstanceCount": 0, + "elasticWebAppScaleLimit": 0, + "healthCheckPath": "/health", + "functionsRuntimeScaleMonitoringEnabled": false, + "minimumElasticInstanceCount": 0 + } + }, + { + "type": "Microsoft.Web/sites/hostNameBindings", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/', parameters('sites_pike_name'), '.azurewebsites.net')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "siteName": "pike", + "hostNameType": "Verified" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceUsedAzureFiles-passed.json b/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceUsedAzureFiles-passed.json new file mode 100644 index 00000000000..c25cec0eb97 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceUsedAzureFiles/AppServiceUsedAzureFiles-passed.json @@ -0,0 +1,189 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "sites_pike_name": { + "defaultValue": "pike", + "type": "String" + }, + "serverfarms_example_serviceplan_externalid": { + "defaultValue": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.Web/serverfarms/example-serviceplan", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "[parameters('sites_pike_name')]", + "location": "UK South", + "kind": "app,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "enabled": true, + "hostNameSslStates": [ + { + "name": "[concat(parameters('sites_pike_name'), '.azurewebsites.net')]", + "sslState": "Disabled", + "hostType": "Standard" + }, + { + "name": "[concat(parameters('sites_pike_name'), '.scm.azurewebsites.net')]", + "sslState": "Disabled", + "hostType": "Repository" + } + ], + "serverFarmId": "[parameters('serverfarms_example_serviceplan_externalid')]", + "reserved": true, + "isXenon": false, + "hyperV": false, + "vnetRouteAllEnabled": false, + "vnetImagePullEnabled": false, + "vnetContentShareEnabled": false, + "siteConfig": { + "numberOfWorkers": 1, + "acrUseManagedIdentityCreds": false, + "alwaysOn": false, + "http20Enabled": true, + "functionAppScaleLimit": 0, + "minimumElasticInstanceCount": 0 + }, + "scmSiteAlsoStopped": false, + "clientAffinityEnabled": false, + "clientCertEnabled": true, + "clientCertMode": "Required", + "hostNamesDisabled": false, + "customDomainVerificationId": "B37B5768F8409B36E596577BDBC882653FCC6A7FD697EBEE151AB7C532C897E5", + "containerSize": 0, + "dailyMemoryTimeQuota": 0, + "httpsOnly": true, + "redundancyMode": "None", + "storageAccountRequired": false, + "keyVaultReferenceIdentity": "SystemAssigned" + } + }, + { + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/ftp')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "allow": true + } + }, + { + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/scm')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "allow": true + } + }, + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2022-09-01", + "name": "passed", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "numberOfWorkers": 1, + "defaultDocuments": [], + "netFrameworkVersion": "v4.0", + "requestTracingEnabled": true, + "requestTracingExpirationTime": "9999-12-31T23:59:00Z", + "remoteDebuggingEnabled": false, + "remoteDebuggingVersion": "VS2019", + "httpLoggingEnabled": true, + "acrUseManagedIdentityCreds": false, + "logsDirectorySizeLimit": 25, + "detailedErrorLoggingEnabled": true, + "publishingUsername": "$pike", + "scmType": "None", + "use32BitWorkerProcess": false, + "webSocketsEnabled": false, + "alwaysOn": false, + "managedPipelineMode": "Integrated", + "virtualApplications": [ + { + "virtualPath": "/", + "physicalPath": "site\\wwwroot", + "preloadEnabled": false + } + ], + "loadBalancing": "LeastRequests", + "experiments": { + "rampUpRules": [] + }, + "autoHealEnabled": false, + "vnetRouteAllEnabled": false, + "vnetPrivatePortsCount": 0, + "cors": { + "supportCredentials": false + }, + "localMySqlEnabled": false, + "managedServiceIdentityId": 484, + "ipSecurityRestrictions": [ + { + "ipAddress": "Any", + "action": "Allow", + "priority": 2147483647, + "name": "Allow all", + "description": "Allow all access" + } + ], + "scmIpSecurityRestrictions": [ + { + "ipAddress": "Any", + "action": "Allow", + "priority": 2147483647, + "name": "Allow all", + "description": "Allow all access" + } + ], + "scmIpSecurityRestrictionsUseMain": false, + "http20Enabled": true, + "minTlsVersion": "1.2", + "scmMinTlsVersion": "1.2", + "ftpsState": "FtpsOnly", + "preWarmedInstanceCount": 0, + "elasticWebAppScaleLimit": 0, + "healthCheckPath": "/health", + "functionsRuntimeScaleMonitoringEnabled": false, + "minimumElasticInstanceCount": 0, + "azureStorageAccounts": { + "shady": { + "type": "AzureFiles", + "accountName": "piketest", + "shareName": "pike", + "mountPath": "/mount/shady" + } + } + } + }, + { + "type": "Microsoft.Web/sites/hostNameBindings", + "apiVersion": "2022-09-01", + "name": "[concat(parameters('sites_pike_name'), '/', parameters('sites_pike_name'), '.azurewebsites.net')]", + "location": "UK South", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('sites_pike_name'))]" + ], + "properties": { + "siteName": "pike", + "hostNameType": "Verified" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_SQLServerUsesADAuth/fail.json b/tests/arm/checks/resource/example_SQLServerUsesADAuth/fail.json new file mode 100644 index 00000000000..47172be23ec --- /dev/null +++ b/tests/arm/checks/resource/example_SQLServerUsesADAuth/fail.json @@ -0,0 +1,181 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "administratorLogin": { + "type": "string", + "defaultValue": "anythingisbad" + }, + "administratorLoginPassword": { + "type": "securestring", + "defaultValue": "" + }, + "administrators": { + "type": "object", + "defaultValue": {} + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "enableADS": { + "type": "bool", + "defaultValue": false + }, + "useVAManagedIdentity": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "To enable vulnerability assessments, the user deploying this template must have an administrator or owner permissions." + } + }, + "vaStoragelessEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Flag for enabling vulnerability assessments with express configuration (storage less), the user deploying this template must have administrator or owner permissions." + } + }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "" + }, + "minimalTlsVersion": { + "type": "string", + "defaultValue": "" + }, + "allowAzureIps": { + "type": "bool", + "defaultValue": true + }, + "enableVA": { + "type": "bool", + "defaultValue": false + }, + "serverTags": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "subscriptionId": "[subscription().subscriptionId]", + "resourceGroupName": "[resourceGroup().name]", + "uniqueStorage": "[uniqueString(variables('subscriptionId'), variables('resourceGroupName'), parameters('location'))]", + "storageName": "[tolower(concat('sqlva', variables('uniqueStorage')))]", + "uniqueRoleGuid": "[guid(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), variables('storageBlobContributor'), resourceId('Microsoft.Sql/servers', parameters('serverName')))]", + "StorageBlobContributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]" + }, + "resources": [ + { + "condition": "[parameters('enableVA')]", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-04-01", + "name": "[variables('storageName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS" + }, + "kind": "StorageV2", + "properties": { + "minimumTlsVersion": "TLS1_2", + "supportsHttpsTrafficOnly": "true", + "allowBlobPublicAccess": "false" + }, + "resources": [ + { + "condition": "[parameters('useVAManagedIdentity')]", + "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(variables('storageName'), '/Microsoft.Authorization/', variables('uniqueRoleGuid') )]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]" + ], + "properties": { + "roleDefinitionId": "[variables('StorageBlobContributor')]", + "principalId": "[reference(resourceId('Microsoft.Sql/servers', parameters('serverName')), '2018-06-01-preview', 'Full').identity.principalId]", + "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]", + "principalType": "ServicePrincipal" + } + } + ] + }, + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2020-11-01-preview", + "name": "fail", + "location": "[parameters('location')]", + "properties": { + "version": "12.0", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]", + "publicNetworkAccess": "[parameters('publicNetworkAccess')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "administrators": "[parameters('administrators')]" + }, + "identity": "[if(and(parameters('enableVA'),parameters('useVAManagedIdentity')), json('{\"type\":\"SystemAssigned\"}'), json('null'))]", + "tags": "[parameters('serverTags')]", + "resources": [ + { + "condition": "[parameters('allowAzureIPs')]", + "type": "firewallRules", + "apiVersion": "2021-11-01", + "name": "AllowAllWindowsAzureIps", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]" + ], + "properties": { + "endIpAddress": "0.0.0.0", + "startIpAddress": "0.0.0.0" + } + }, + { + "condition": "[parameters('enableADS')]", + "type": "advancedThreatProtectionSettings", + "apiVersion": "2021-11-01-preview", + "name": "Default", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]" + ], + "properties": { + "state": "Enabled" + } + }, + { + "condition": "[parameters('enableVA')]", + "type": "vulnerabilityAssessments", + "apiVersion": "2018-06-01-preview", + "name": "Default", + "dependsOn": [ + "[concat('Microsoft.Sql/servers/', parameters('serverName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]", + "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/advancedThreatProtectionSettings/Default')]" + ], + "properties": { + "storageContainerPath": "[if(parameters('enableVA'), concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment'), '')]", + "storageAccountAccessKey": "[if(and(parameters('enableVA'),not(parameters('useVAManagedIdentity'))), listKeys(variables('storageName'), '2018-02-01').keys[0].value, '')]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false + } + } + }, + { + "condition": "[parameters('vaStoragelessEnabled')]", + "type": "sqlVulnerabilityAssessments", + "apiVersion": "2022-02-01-preview", + "name": "Default", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]" + ], + "properties": { + "state": "Enabled" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_SQLServerUsesADAuth/pass.json b/tests/arm/checks/resource/example_SQLServerUsesADAuth/pass.json new file mode 100644 index 00000000000..a14d0be0cb6 --- /dev/null +++ b/tests/arm/checks/resource/example_SQLServerUsesADAuth/pass.json @@ -0,0 +1,179 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "administratorLogin": { + "type": "string", + "defaultValue": "" + }, + "administratorLoginPassword": { + "type": "securestring", + "defaultValue": "" + }, + "administrators": { + "type": "object", + "defaultValue": {} + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "enableADS": { + "type": "bool", + "defaultValue": false + }, + "useVAManagedIdentity": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "To enable vulnerability assessments, the user deploying this template must have an administrator or owner permissions." + } + }, + "vaStoragelessEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Flag for enabling vulnerability assessments with express configuration (storage less), the user deploying this template must have administrator or owner permissions." + } + }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "" + }, + "minimalTlsVersion": { + "type": "string", + "defaultValue": "" + }, + "allowAzureIps": { + "type": "bool", + "defaultValue": true + }, + "enableVA": { + "type": "bool", + "defaultValue": false + }, + "serverTags": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "subscriptionId": "[subscription().subscriptionId]", + "resourceGroupName": "[resourceGroup().name]", + "uniqueStorage": "[uniqueString(variables('subscriptionId'), variables('resourceGroupName'), parameters('location'))]", + "storageName": "[tolower(concat('sqlva', variables('uniqueStorage')))]", + "uniqueRoleGuid": "[guid(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), variables('storageBlobContributor'), resourceId('Microsoft.Sql/servers', parameters('serverName')))]", + "StorageBlobContributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]" + }, + "resources": [ + { + "condition": "[parameters('enableVA')]", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-04-01", + "name": "[variables('storageName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS" + }, + "kind": "StorageV2", + "properties": { + "minimumTlsVersion": "TLS1_2", + "supportsHttpsTrafficOnly": "true", + "allowBlobPublicAccess": "false" + }, + "resources": [ + { + "condition": "[parameters('useVAManagedIdentity')]", + "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[concat(variables('storageName'), '/Microsoft.Authorization/', variables('uniqueRoleGuid') )]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]" + ], + "properties": { + "roleDefinitionId": "[variables('StorageBlobContributor')]", + "principalId": "[reference(resourceId('Microsoft.Sql/servers', parameters('serverName')), '2018-06-01-preview', 'Full').identity.principalId]", + "scope": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))]", + "principalType": "ServicePrincipal" + } + } + ] + }, + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2020-11-01-preview", + "name": "pass", + "location": "[parameters('location')]", + "properties": { + "version": "12.0", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]", + "publicNetworkAccess": "[parameters('publicNetworkAccess')]", + "administrators": "[parameters('administrators')]" + }, + "identity": "[if(and(parameters('enableVA'),parameters('useVAManagedIdentity')), json('{\"type\":\"SystemAssigned\"}'), json('null'))]", + "tags": "[parameters('serverTags')]", + "resources": [ + { + "condition": "[parameters('allowAzureIPs')]", + "type": "firewallRules", + "apiVersion": "2021-11-01", + "name": "AllowAllWindowsAzureIps", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]" + ], + "properties": { + "endIpAddress": "0.0.0.0", + "startIpAddress": "0.0.0.0" + } + }, + { + "condition": "[parameters('enableADS')]", + "type": "advancedThreatProtectionSettings", + "apiVersion": "2021-11-01-preview", + "name": "Default", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]" + ], + "properties": { + "state": "Enabled" + } + }, + { + "condition": "[parameters('enableVA')]", + "type": "vulnerabilityAssessments", + "apiVersion": "2018-06-01-preview", + "name": "Default", + "dependsOn": [ + "[concat('Microsoft.Sql/servers/', parameters('serverName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]", + "[concat('Microsoft.Sql/servers/', parameters('serverName'), '/advancedThreatProtectionSettings/Default')]" + ], + "properties": { + "storageContainerPath": "[if(parameters('enableVA'), concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment'), '')]", + "storageAccountAccessKey": "[if(and(parameters('enableVA'),not(parameters('useVAManagedIdentity'))), listKeys(variables('storageName'), '2018-02-01').keys[0].value, '')]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false + } + } + }, + { + "condition": "[parameters('vaStoragelessEnabled')]", + "type": "sqlVulnerabilityAssessments", + "apiVersion": "2022-02-01-preview", + "name": "Default", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]" + ], + "properties": { + "state": "Enabled" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed-vm.json b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed-vm.json new file mode 100644 index 00000000000..64de7a2d7c7 --- /dev/null +++ b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed-vm.json @@ -0,0 +1,235 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "networkInterfaceName1": { + "type": "string" + }, + "enableAcceleratedNetworking": { + "type": "bool" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "networkSecurityGroupRules": { + "type": "array" + }, + "subnetName": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "publicIpAddressName1": { + "type": "string" + }, + "publicIpAddressType": { + "type": "string" + }, + "publicIpAddressSku": { + "type": "string" + }, + "pipDeleteOption": { + "type": "string" + }, + "virtualMachineName": { + "type": "string" + }, + "virtualMachineName1": { + "type": "string" + }, + "virtualMachineComputerName1": { + "type": "string" + }, + "virtualMachineRG": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "osDiskDeleteOption": { + "type": "string" + }, + "virtualMachineSize": { + "type": "string" + }, + "nicDeleteOption": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "virtualMachine1Zone": { + "type": "string" + } + }, + "variables": { + "nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "vnetName": "[parameters('virtualNetworkName')]", + "vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]" + }, + "resources": [ + { + "name": "[parameters('networkInterfaceName1')]", + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2022-11-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName1'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + }, + "privateIPAllocationMethod": "Dynamic", + "publicIpAddress": { + "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName1'))]", + "properties": { + "deleteOption": "[parameters('pipDeleteOption')]" + } + } + } + } + ], + "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]", + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + } + } + }, + { + "name": "[parameters('networkSecurityGroupName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroupRules')]" + } + }, + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('publicIpAddressName1')]", + "type": "Microsoft.Network/publicIpAddresses", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "properties": { + "publicIpAllocationMethod": "[parameters('publicIpAddressType')]" + }, + "sku": { + "name": "[parameters('publicIpAddressSku')]" + }, + "zones": [ + "[parameters('virtualMachine1Zone')]" + ] + }, + { + "name": "failed", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-03-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName1'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('virtualMachineSize')]" + }, + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + }, + "deleteOption": "[parameters('osDiskDeleteOption')]" + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName1'))]", + "properties": { + "deleteOption": "[parameters('nicDeleteOption')]" + } + } + ] + }, + "osProfile": { + "computerName": "[parameters('virtualMachineComputerName1')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "linuxConfiguration": { + "patchSettings": { + "patchMode": "ImageDefault" + } + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + } + }, + "zones": [ + "[parameters('virtualMachine1Zone')]" + ] + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed.json b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed.json new file mode 100644 index 00000000000..e178de9da41 --- /dev/null +++ b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/failed.json @@ -0,0 +1,217 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "networkApiVersion": "2020-11-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "failed", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkApiVersion": "[variables('networkApiVersion')]", + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "linuxConfiguration": { + "disablePasswordAuthentication": false, + "patchSettings": { + "patchMode": "ImageDefault" + } + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Flexible", + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed-vm.json b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed-vm.json new file mode 100644 index 00000000000..ccfe42d90d5 --- /dev/null +++ b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed-vm.json @@ -0,0 +1,229 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "networkInterfaceName1": { + "type": "string" + }, + "enableAcceleratedNetworking": { + "type": "bool" + }, + "networkSecurityGroupName": { + "type": "string" + }, + "networkSecurityGroupRules": { + "type": "array" + }, + "subnetName": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "publicIpAddressName1": { + "type": "string" + }, + "publicIpAddressType": { + "type": "string" + }, + "publicIpAddressSku": { + "type": "string" + }, + "pipDeleteOption": { + "type": "string" + }, + "virtualMachineName": { + "type": "string" + }, + "virtualMachineName1": { + "type": "string" + }, + "virtualMachineComputerName1": { + "type": "string" + }, + "virtualMachineRG": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "osDiskDeleteOption": { + "type": "string" + }, + "virtualMachineSize": { + "type": "string" + }, + "nicDeleteOption": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "virtualMachine1Zone": { + "type": "string" + } + }, + "variables": { + "nsgId": "[resourceId(resourceGroup().name, 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "vnetName": "[parameters('virtualNetworkName')]", + "vnetId": "[resourceId(resourceGroup().name,'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "subnetRef": "[concat(variables('vnetId'), '/subnets/', parameters('subnetName'))]" + }, + "resources": [ + { + "name": "[parameters('networkInterfaceName1')]", + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2022-11-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName1'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + }, + "privateIPAllocationMethod": "Dynamic", + "publicIpAddress": { + "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName1'))]", + "properties": { + "deleteOption": "[parameters('pipDeleteOption')]" + } + } + } + } + ], + "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]", + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + } + } + }, + { + "name": "[parameters('networkSecurityGroupName')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroupRules')]" + } + }, + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('publicIpAddressName1')]", + "type": "Microsoft.Network/publicIpAddresses", + "apiVersion": "2020-08-01", + "location": "[parameters('location')]", + "properties": { + "publicIpAllocationMethod": "[parameters('publicIpAddressType')]" + }, + "sku": { + "name": "[parameters('publicIpAddressSku')]" + }, + "zones": [ + "[parameters('virtualMachine1Zone')]" + ] + }, + { + "name": "passed", + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-03-01", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName1'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('virtualMachineSize')]" + }, + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + }, + "deleteOption": "[parameters('osDiskDeleteOption')]" + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName1'))]", + "properties": { + "deleteOption": "[parameters('nicDeleteOption')]" + } + } + ] + }, + "osProfile": { + "computerName": "[parameters('virtualMachineComputerName1')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + } + }, + "zones": [ + "[parameters('virtualMachine1Zone')]" + ] + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed.json b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed.json new file mode 100644 index 00000000000..28bc9a58790 --- /dev/null +++ b/tests/arm/checks/resource/example_VMDisablePasswordAuthentication/passed.json @@ -0,0 +1,210 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "networkApiVersion": "2020-11-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "passed", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkApiVersion": "[variables('networkApiVersion')]", + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Flexible", + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail-windows.json b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail-windows.json new file mode 100644 index 00000000000..8a989b4e0dd --- /dev/null +++ b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail-windows.json @@ -0,0 +1,231 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "singlePlacementGroup": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "scaleInPolicy": { + "type": "object" + }, + "overprovision": { + "type": "bool" + }, + "upgradePolicy": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "fail-windows", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "singlePlacementGroup": "[parameters('singlePlacementGroup')]", + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2019-datacenter-gensecond", + "version": "latest" + } + }, + "networkProfile": { + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]", + "loadBalancerInboundNatPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerInboundNatPools]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.WindowsAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": false, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "windowsConfiguration": { + "provisionVmAgent": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Uniform", + "scaleInPolicy": "[parameters('scaleInPolicy')]", + "overprovision": "[parameters('overprovision')]", + "upgradePolicy": { + "mode": "[parameters('upgradePolicy')]" + }, + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail-windows2.json b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail-windows2.json new file mode 100644 index 00000000000..5396e5fa74b --- /dev/null +++ b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail-windows2.json @@ -0,0 +1,225 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + }, + "patchMode": { + "type": "string" + }, + "enableHotpatching": { + "type": "bool" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "networkApiVersion": "2020-11-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "fail-windows2", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2019-datacenter-gensecond", + "version": "latest" + } + }, + "networkProfile": { + "networkApiVersion": "[variables('networkApiVersion')]", + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.WindowsAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "windowsConfiguration": { + "provisionVmAgent": true, + "enableAutomaticUpdates": true, + "patchSettings": { + "enableHotpatching": "[parameters('enableHotpatching')]", + "patchMode": "[parameters('patchMode')]" + } + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Flexible", + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail.json b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail.json new file mode 100644 index 00000000000..79a393ebabf --- /dev/null +++ b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail.json @@ -0,0 +1,227 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "singlePlacementGroup": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "scaleInPolicy": { + "type": "object" + }, + "overprovision": { + "type": "bool" + }, + "upgradePolicy": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "fail", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "singlePlacementGroup": "[parameters('singlePlacementGroup')]", + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]", + "loadBalancerInboundNatPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerInboundNatPools]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": false, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Uniform", + "scaleInPolicy": "[parameters('scaleInPolicy')]", + "overprovision": "[parameters('overprovision')]", + "upgradePolicy": { + "mode": "[parameters('upgradePolicy')]" + }, + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail2.json b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail2.json new file mode 100644 index 00000000000..fab90d564f8 --- /dev/null +++ b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/fail2.json @@ -0,0 +1,210 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "networkApiVersion": "2020-11-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "fail2", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "networkApiVersion": "[variables('networkApiVersion')]", + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Flexible", + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/pass-windows.json b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/pass-windows.json new file mode 100644 index 00000000000..1956544eaba --- /dev/null +++ b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/pass-windows.json @@ -0,0 +1,231 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "singlePlacementGroup": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "scaleInPolicy": { + "type": "object" + }, + "overprovision": { + "type": "bool" + }, + "upgradePolicy": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "adminPassword": { + "type": "secureString" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "pass-windows", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "singlePlacementGroup": "[parameters('singlePlacementGroup')]", + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "2019-datacenter-gensecond", + "version": "latest" + } + }, + "networkProfile": { + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]", + "loadBalancerInboundNatPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerInboundNatPools]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.WindowsAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "windowsConfiguration": { + "provisionVmAgent": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Uniform", + "scaleInPolicy": "[parameters('scaleInPolicy')]", + "overprovision": "[parameters('overprovision')]", + "upgradePolicy": { + "mode": "[parameters('upgradePolicy')]" + }, + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/pass.json b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/pass.json new file mode 100644 index 00000000000..9fa0bc825e2 --- /dev/null +++ b/tests/arm/checks/resource/example_VMScaleSetsAutoOSImagePatchingEnabled/pass.json @@ -0,0 +1,227 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "osDiskType": { + "type": "string" + }, + "addressPrefixes": { + "type": "array" + }, + "subnets": { + "type": "array" + }, + "virtualNetworkId": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "networkSecurityGroups": { + "type": "array" + }, + "networkInterfaceConfigurations": { + "type": "array" + }, + "vmName": { + "type": "string" + }, + "virtualMachineScaleSetName": { + "type": "string" + }, + "singlePlacementGroup": { + "type": "string" + }, + "instanceCount": { + "type": "string" + }, + "instanceSize": { + "type": "string" + }, + "scaleInPolicy": { + "type": "object" + }, + "overprovision": { + "type": "bool" + }, + "upgradePolicy": { + "type": "string" + }, + "adminUsername": { + "type": "string" + }, + "securityType": { + "type": "string" + }, + "secureBoot": { + "type": "bool" + }, + "vTPM": { + "type": "bool" + }, + "platformFaultDomainCount": { + "type": "string" + } + }, + "variables": { + "storageApiVersion": "2021-01-01", + "virtualMachineScaleSetApiVersion": "2023-03-01", + "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]" + }, + "resources": [ + { + "name": "[parameters('virtualNetworkName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-05-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('addressPrefixes')]" + }, + "subnets": "[parameters('subnets')]" + } + }, + { + "name": "[parameters('networkSecurityGroups')[copyIndex()].name]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2019-02-01", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[parameters('networkSecurityGroups')[copyIndex()].rules]" + }, + "copy": { + "name": "networkSecurityGroups", + "count": "[length(parameters('networkSecurityGroups'))]" + } + }, + { + "name": "pass", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('virtualMachineScaleSetApiVersion')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]", + "networkSecurityGroups", + "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]" + ], + "properties": { + "singlePlacementGroup": "[parameters('singlePlacementGroup')]", + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "[parameters('osDiskType')]" + } + }, + "imageReference": { + "publisher": "canonical", + "offer": "0001-com-ubuntu-server-focal", + "sku": "20_04-lts-gen2", + "version": "latest" + } + }, + "networkProfile": { + "copy": [ + { + "name": "networkInterfaceConfigurations", + "count": "[length(parameters('networkInterfaceConfigurations'))]", + "input": { + "name": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name]", + "properties": { + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "enableAcceleratedNetworking": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking]", + "ipConfigurations": [ + { + "name": "[concat(take(parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].name, sub(80, length('-defaultIpConfiguration'))), '-defaultIpConfiguration')]", + "properties": { + "subnet": { + "id": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].subnetId]" + }, + "primary": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].primary]", + "applicationGatewayBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].applicationGatewayBackendAddressPools]", + "loadBalancerBackendAddressPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerBackendAddressPools]", + "publicIPAddressConfiguration": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, ''), json('null'), union(json(concat('{\"name\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].pipName, '\"}'))\n ,json('{\"properties\": { \"idleTimeoutInMinutes\": 15}}')))]", + "loadBalancerInboundNatPools": "[parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].loadBalancerInboundNatPools]" + } + } + ], + "networkSecurityGroup": "[if( equals( parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, ''), json('null'),json(concat('{\"id\": \"', parameters('networkInterfaceConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId, '\"}')))]" + } + } + } + ] + }, + "extensionProfile": { + "extensions": [ + { + "name": "GuestAttestation", + "properties": { + "publisher": "Microsoft.Azure.Security.LinuxAttestation", + "type": "GuestAttestation", + "typeHandlerVersion": "1.0", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "AttestationConfig": { + "MaaSettings": { + "maaEndpoint": "", + "maaTenantName": "GuestAttestation" + }, + "AscSettings": { + "ascReportingEndpoint": "", + "ascReportingFrequency": "" + }, + "useCustomToken": "false", + "disableAlerts": "false" + } + } + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "[variables('namingInfix')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "securityProfile": { + "securityType": "[parameters('securityType')]", + "uefiSettings": { + "secureBootEnabled": "[parameters('secureBoot')]", + "vTpmEnabled": "[parameters('vTPM')]" + } + } + }, + "orchestrationMode": "Uniform", + "scaleInPolicy": "[parameters('scaleInPolicy')]", + "overprovision": "[parameters('overprovision')]", + "upgradePolicy": { + "mode": "[parameters('upgradePolicy')]" + }, + "platformFaultDomainCount": "[parameters('platformFaultDomainCount')]" + }, + "sku": { + "name": "[parameters('instanceSize')]", + "capacity": "[int(parameters('instanceCount'))]" + } + } + ], + "outputs": { + "adminUsername": { + "type": "string", + "value": "[parameters('adminUsername')]" + } + } +} \ No newline at end of file diff --git a/tests/arm/checks/resource/test_AppServiceUsedAzureFiles.py b/tests/arm/checks/resource/test_AppServiceUsedAzureFiles.py new file mode 100644 index 00000000000..e05ef40499c --- /dev/null +++ b/tests/arm/checks/resource/test_AppServiceUsedAzureFiles.py @@ -0,0 +1,41 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.AppServiceUsedAzureFiles import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestAppServiceUsedAzureFiles(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_AppServiceUsedAzureFiles" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites/config.passed", + } + failing_resources = { + "Microsoft.Web/sites/config.failed", + "Microsoft.Web/sites/config.failed2", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_SQLServerUsesADAuth.py b/tests/arm/checks/resource/test_SQLServerUsesADAuth.py new file mode 100644 index 00000000000..903322ff3b4 --- /dev/null +++ b/tests/arm/checks/resource/test_SQLServerUsesADAuth.py @@ -0,0 +1,40 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.SQLServerUsesADAuth import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestSQLServerUsesADAuth(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_SQLServerUsesADAuth" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Sql/servers.pass", + } + failing_resources = { + "Microsoft.Sql/servers.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_VMDisablePasswordAuthentication.py b/tests/arm/checks/resource/test_VMDisablePasswordAuthentication.py new file mode 100644 index 00000000000..489a1e2ccf2 --- /dev/null +++ b/tests/arm/checks/resource/test_VMDisablePasswordAuthentication.py @@ -0,0 +1,42 @@ +import os +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.VMDisablePasswordAuthentication import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestVMDisablePasswordAuthentication(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_VMDisablePasswordAuthentication" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Compute/virtualMachineScaleSets.passed", + "Microsoft.Compute/virtualMachines.passed" + } + failing_resources = { + "Microsoft.Compute/virtualMachineScaleSets.failed", + "Microsoft.Compute/virtualMachines.failed" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + diff --git a/tests/arm/checks/resource/test_VMScaleSetsAutoOSImagePatchingEnabled.py b/tests/arm/checks/resource/test_VMScaleSetsAutoOSImagePatchingEnabled.py new file mode 100644 index 00000000000..22f35bd50b7 --- /dev/null +++ b/tests/arm/checks/resource/test_VMScaleSetsAutoOSImagePatchingEnabled.py @@ -0,0 +1,44 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.VMScaleSetsAutoOSImagePatchingEnabled import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestVMScaleSetsAutoOSImagePatchingEnabled(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_VMScaleSetsAutoOSImagePatchingEnabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Compute/virtualMachineScaleSets.pass", + "Microsoft.Compute/virtualMachineScaleSets.pass-windows", + } + failing_resources = { + "Microsoft.Compute/virtualMachineScaleSets.fail", + "Microsoft.Compute/virtualMachineScaleSets.fail2", + "Microsoft.Compute/virtualMachineScaleSets.fail-windows", + "Microsoft.Compute/virtualMachineScaleSets.fail-windows2", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/graph_builder/checks/test_yaml_policies.py b/tests/arm/graph_builder/checks/test_yaml_policies.py index a11c2de68b3..5aa84eaae5b 100644 --- a/tests/arm/graph_builder/checks/test_yaml_policies.py +++ b/tests/arm/graph_builder/checks/test_yaml_policies.py @@ -3,10 +3,8 @@ from typing import List from checkov.arm.graph_manager import ArmGraphManager -from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector from parameterized import parameterized_class -from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector - +from tests.graph_utils.utils import set_db_connector_by_graph_framework, PARAMETERIZED_GRAPH_FRAMEWORKS from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.models.enums import CheckResult @@ -17,18 +15,12 @@ @parameterized_class( - [ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"}, - ] + PARAMETERIZED_GRAPH_FRAMEWORKS ) class TestYamlPolicies(TestYamlPoliciesBase): def __init__(self, args): - db_connector = None - if self.graph_framework == "NETWORKX": - db_connector = NetworkxConnector() - elif self.graph_framework == "IGRAPH": - db_connector = IgraphConnector() + db_connector = set_db_connector_by_graph_framework(self.graph_framework) + graph_manager = ArmGraphManager(db_connector=db_connector) super().__init__( graph_manager=graph_manager, diff --git a/tests/bicep/graph/checks/test_yaml_policies.py b/tests/bicep/graph/checks/test_yaml_policies.py index d25c9b4f27d..2d233683123 100644 --- a/tests/bicep/graph/checks/test_yaml_policies.py +++ b/tests/bicep/graph/checks/test_yaml_policies.py @@ -3,10 +3,8 @@ from typing import List from checkov.bicep.graph_manager import BicepGraphManager -from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector from parameterized import parameterized_class -from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector - +from tests.graph_utils.utils import set_db_connector_by_graph_framework, PARAMETERIZED_GRAPH_FRAMEWORKS from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.models.enums import CheckResult @@ -15,17 +13,10 @@ from checkov.common.bridgecrew.check_type import CheckType from tests.common.graph.checks.test_yaml_policies_base import TestYamlPoliciesBase -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestYamlPolicies(TestYamlPoliciesBase): def __init__(self, args): - db_connector = None - if self.graph_framework == 'NETWORKX': - db_connector = NetworkxConnector() - elif self.graph_framework == 'IGRAPH': - db_connector = IgraphConnector() + db_connector = set_db_connector_by_graph_framework(self.graph_framework) graph_manager = BicepGraphManager(db_connector=db_connector) super().__init__( graph_manager=graph_manager, diff --git a/tests/bicep/image_referencer/provider/test_azure.py b/tests/bicep/image_referencer/provider/test_azure.py index 8bb087f5076..84746610947 100644 --- a/tests/bicep/image_referencer/provider/test_azure.py +++ b/tests/bicep/image_referencer/provider/test_azure.py @@ -1,17 +1,18 @@ -import os - from unittest import mock import igraph import pytest from networkx import DiGraph +from rustworkx import PyDiGraph from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image from checkov.terraform.image_referencer.provider.azure import AzureTerraformProvider +from tests.graph_utils.utils import GRAPH_FRAMEWORKS, set_graph_by_graph_framework, \ + add_vertices_to_graph_by_graph_framework -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def extract_images_from_resources(graph_framework): # given resource = { @@ -33,18 +34,8 @@ def extract_images_from_resources(graph_framework): }, "resource_type": "Microsoft.Batch/batchAccounts/pools", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when azure_provider = AzureTerraformProvider(graph_connector=graph) @@ -57,7 +48,7 @@ def extract_images_from_resources(graph_framework): ] -@pytest.mark.parametrize('graph_framework', ["NETWORKX", "IGRAPH"]) +@pytest.mark.parametrize('graph_framework', GRAPH_FRAMEWORKS) def test_extract_images_from_resources_with_no_image(graph_framework): # given resource = { @@ -79,18 +70,8 @@ def test_extract_images_from_resources_with_no_image(graph_framework): }, "resource_type": "Microsoft.Batch/batchAccounts/pools", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): diff --git a/tests/bicep/image_referencer/test_manager.py b/tests/bicep/image_referencer/test_manager.py index 4a48f73dd42..5e8ada5794c 100644 --- a/tests/bicep/image_referencer/test_manager.py +++ b/tests/bicep/image_referencer/test_manager.py @@ -1,17 +1,14 @@ -import unittest from unittest import mock -import igraph import pytest -from networkx import DiGraph -from parameterized import parameterized_class from checkov.bicep.image_referencer.manager import BicepImageReferencerManager -from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image +from tests.graph_utils.utils import GRAPH_FRAMEWORKS, set_graph_by_graph_framework, \ + add_vertices_to_graph_by_graph_framework -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources(graph_framework): # given resource = { @@ -33,18 +30,9 @@ def test_extract_images_from_resources(graph_framework): }, "resource_type": "Microsoft.Batch/batchAccounts/pools", } - if graph_framework == 'NETWORKX': - graph = DiGraph() - graph.add_node(1, **resource) - else: - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in - resource else None, - attr=resource, - ) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) + # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): diff --git a/tests/bicep/image_referencer/test_runner_azure_resources.py b/tests/bicep/image_referencer/test_runner_azure_resources.py index d21f8c224ee..bf47ad37dc5 100644 --- a/tests/bicep/image_referencer/test_runner_azure_resources.py +++ b/tests/bicep/image_referencer/test_runner_azure_resources.py @@ -13,11 +13,12 @@ mock_get_license_statuses_async, mock_get_image_cached_result_async, ) +from tests.graph_utils.utils import GRAPH_FRAMEWORKS RESOURCES_PATH = Path(__file__).parent / "resources/azure" -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_batch_resources(mocker: MockerFixture, graph_framework): # given from checkov.common.bridgecrew.platform_integration import bc_integration @@ -76,7 +77,7 @@ def test_batch_resources(mocker: MockerFixture, graph_framework): ] -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_container_instance_resources(mocker: MockerFixture, graph_framework): # given file_name = "container_instance.bicep" @@ -123,7 +124,7 @@ def test_container_instance_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_web_resources(mocker: MockerFixture, graph_framework): # given file_name = "web.bicep" diff --git a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml new file mode 100644 index 00000000000..f545330e862 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml @@ -0,0 +1,26 @@ +Resources: + Pass: + Type: 'AWS::Lambda::Function' + Properties: + Handler: 'index.handler' + Role: 'arn:aws:iam::123456789012:role/execution_role' + FunctionName: 'MyFunction' + Code: + S3Bucket: 'myBucket' + S3Key: 'code/myLambda.zip' + Runtime: 'nodejs18.x' + Fail: + Type: 'AWS::Lambda::Function' + Metadata: + cfn-lint: + config: + ignore_checks: + - E2531 + Properties: + Handler: 'index.handler' + Role: 'arn:aws:iam::123456789012:role/execution_role' + FunctionName: 'MyFunction' + Code: + S3Bucket: 'myBucket' + S3Key: 'code/myLambda.zip' + Runtime: 'dotnetcore3.1' diff --git a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml new file mode 100644 index 00000000000..2ff19fbb789 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml @@ -0,0 +1,52 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: 'AWS::Serverless-2016-10-31' +Description: A simple AWS SAM template with a Lambda function. + +Resources: + + Fail2: + Type: 'AWS::Serverless::Function' + Metadata: + cfn-lint: + config: + ignore_checks: + - E2531 + Properties: + Handler: 'index.handler' + Runtime: 'python3.6' + CodeUri: './code/' # This should be the directory path where your Lambda code is. + Events: + MyApi: + Type: Api + Properties: + Path: /hello1 + Method: get + Environment: + Variables: + LOG_LEVEL: 'INFO' + MemorySize: 256 + Timeout: 10 + Role: arn:aws:iam::123456789012:role/lambda_execution_role + Pass2: + Type: 'AWS::Serverless::Function' + Properties: + Handler: 'index.handler' + Runtime: 'python3.11' + CodeUri: './code/' # This should be the directory path where your Lambda code is. + Events: + MyApi: + Type: Api + Properties: + Path: /hello2 + Method: get + Environment: + Variables: + LOG_LEVEL: 'INFO' + MemorySize: 256 + Timeout: 10 + Role: arn:aws:iam::123456789012:role/lambda_execution_role + +Outputs: + MyServerlessFunctionApi: + Description: "API Gateway endpoint URL for Prod environment" + Value: !Sub "https://${AWS::AccountId}.execute-api.${AWS::Region}.amazonaws.com/Prod/hello1/" diff --git a/tests/cloudformation/checks/resource/aws/example_DocDBBackupRetention/DocDBBackupRetention-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_DocDBBackupRetention/DocDBBackupRetention-FAILED.yaml new file mode 100644 index 00000000000..aee5895419d --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_DocDBBackupRetention/DocDBBackupRetention-FAILED.yaml @@ -0,0 +1,13 @@ +AWSTemplateFormatVersion: "2010-09-09" +Resources: + DocDBDefault: + Type: AWS::DocDB::DBCluster + Properties: + MasterUsername: name + MasterUserPassword: password + DocDBNotAdequate: + Type: AWS::DocDB::DBCluster + Properties: + MasterUsername: name + MasterUserPassword: password + BackupRetentionPeriod: 3 \ No newline at end of file diff --git a/tests/cloudformation/checks/resource/aws/example_DocDBBackupRetention/DocDBBackupRetention-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_DocDBBackupRetention/DocDBBackupRetention-PASSED.yaml new file mode 100644 index 00000000000..1d9bb3f3ee9 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_DocDBBackupRetention/DocDBBackupRetention-PASSED.yaml @@ -0,0 +1,8 @@ +AWSTemplateFormatVersion: "2010-09-09" +Resources: + DocDBAdequate: + Type: AWS::DocDB::DBCluster + Properties: + MasterUsername: name + MasterUserPassword: password + BackupRetentionPeriod: 7 diff --git a/tests/cloudformation/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission_Fail.yml b/tests/cloudformation/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission_Fail.yml new file mode 100644 index 00000000000..c8f9ad10758 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission_Fail.yml @@ -0,0 +1,9 @@ +AWSTemplateFormatVersion: "2010-09-09" +Resources: + FunctionFailPermission: + Type: AWS::Lambda::Permission + Properties: + Action: lambda:InvokeFunction + FunctionName: TestFunction + Principal: apigateway.amazonaws.com + diff --git a/tests/cloudformation/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission_Pass.yml b/tests/cloudformation/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission_Pass.yml new file mode 100644 index 00000000000..16ac320cc11 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission_Pass.yml @@ -0,0 +1,42 @@ +AWSTemplateFormatVersion: "2010-09-09" +Resources: + FunctionPassingArnPermission: + Type: AWS::Lambda::Permission + Properties: + Action: lambda:InvokeFunction + FunctionName: TestFunction + Principal: apigateway.amazonaws.com + SourceArn: arn:aws:apigateway:us-east-1::/apis/qwerty + + FunctionPassingAccountPermission: + Type: AWS::Lambda::Permission + Properties: + Action: lambda:InvokeFunction + FunctionName: TestFunction + Principal: apigateway.amazonaws.com + SourceAccount: 901234567812 + + FunctionStringPrincipallPermission: + Type: AWS::Lambda::Permission + Properties: + Action: lambda:InvokeFunction + FunctionName: TestFunction + Principal: 901234567812 + + ExampleS3ServicePermission: + Type: AWS::Lambda::Permission + Properties: + FunctionName: TestFunction + Action: lambda:InvokeFunction + Principal: s3.amazonaws.com + SourceAccount: 901234567812 + SourceArn: arn:aws:apigateway:us-east-1::/apis/qwerty + + ExampleEventsServicePermission: + Type: AWS::Lambda::Permission + Properties: + FunctionName: TestFunction + Action: lambda:InvokeFunction + Principal: events.amazonaws.com + SourceAccount: 901234567812 + SourceArn: arn:aws:apigateway:us-east-1::/apis/qwerty \ No newline at end of file diff --git a/tests/cloudformation/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention-FAILED.yml b/tests/cloudformation/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention-FAILED.yml new file mode 100644 index 00000000000..342411f05db --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention-FAILED.yml @@ -0,0 +1,11 @@ +AWSTemplateFormatVersion: 2010-09-09 +Resources: + NeptuneDBClusterDefault: + Type: "AWS::Neptune::DBCluster" + Properties: + DBClusterIdentifier: DBClusterIdentifier + NeptuneDBClusterNotAdequate: + Type: "AWS::Neptune::DBCluster" + Properties: + DBClusterIdentifier: DBClusterIdentifier + BackupRetentionPeriod: 3 diff --git a/tests/cloudformation/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention-PASSED.yml b/tests/cloudformation/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention-PASSED.yml new file mode 100644 index 00000000000..c41ca50cb67 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention-PASSED.yml @@ -0,0 +1,7 @@ +AWSTemplateFormatVersion: 2010-09-09 +Resources: + NeptuneDBClusterAdequate: + Type: "AWS::Neptune::DBCluster" + Properties: + DBClusterIdentifier: DBClusterIdentifier + BackupRetentionPeriod: 7 diff --git a/tests/cloudformation/checks/resource/aws/test_DeprecatedLambdaRuntime.py b/tests/cloudformation/checks/resource/aws/test_DeprecatedLambdaRuntime.py new file mode 100644 index 00000000000..60442312cb7 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/test_DeprecatedLambdaRuntime.py @@ -0,0 +1,42 @@ +import unittest +from pathlib import Path + +from checkov.cloudformation.checks.resource.aws.DeprecatedLambdaRuntime import check +from checkov.cloudformation.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestDeprecatedLambdaRuntime(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_DeprecatedLambdaRuntime" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "AWS::Lambda::Function.Pass", + "AWS::Serverless::Function.Pass2" + } + failing_resources = { + "AWS::Lambda::Function.Fail", + "AWS::Serverless::Function.Fail2" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/cloudformation/checks/resource/aws/test_DocDBBackupRetention.py b/tests/cloudformation/checks/resource/aws/test_DocDBBackupRetention.py new file mode 100644 index 00000000000..a8d309961d9 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/test_DocDBBackupRetention.py @@ -0,0 +1,39 @@ +import os +import unittest + +from checkov.cloudformation.checks.resource.aws.DocDBBackupRetention import check +from checkov.cloudformation.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestDocDBAuditLogs(unittest.TestCase): + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_DocDBBackupRetention" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "AWS::DocDB::DBCluster.DocDBAdequate", + } + failing_resources = { + "AWS::DocDB::DBCluster.DocDBDefault", + "AWS::DocDB::DBCluster.DocDBNotAdequate", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/cloudformation/checks/resource/aws/test_LambdaServicePermission.py b/tests/cloudformation/checks/resource/aws/test_LambdaServicePermission.py new file mode 100644 index 00000000000..4d74a29a96e --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/test_LambdaServicePermission.py @@ -0,0 +1,43 @@ +import os +import unittest + +from checkov.cloudformation.checks.resource.aws.LambdaServicePermission import check +from checkov.cloudformation.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestLambdaServicePermission(unittest.TestCase): + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_LambdaServicePermission" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "AWS::Lambda::Permission.FunctionPassingArnPermission", + "AWS::Lambda::Permission.FunctionPassingAccountPermission", + "AWS::Lambda::Permission.ExampleS3ServicePermission", + "AWS::Lambda::Permission.ExampleEventsServicePermission" + } + failing_resources = { + "AWS::Lambda::Permission.FunctionFailPermission", + } + unknown_resources = { + "AWS::Lambda::Permission.FunctionStringPrincipallPermission", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary['passed'], 4) + self.assertEqual(summary['failed'], 1) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/cloudformation/checks/resource/aws/test_NeptuneClusterBackupRetention.py b/tests/cloudformation/checks/resource/aws/test_NeptuneClusterBackupRetention.py new file mode 100644 index 00000000000..3b6762a529f --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/test_NeptuneClusterBackupRetention.py @@ -0,0 +1,39 @@ +import os +import unittest + +from checkov.cloudformation.checks.resource.aws.NeptuneClusterBackupRetention import check +from checkov.cloudformation.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestNeptuneClusterBackupRetention(unittest.TestCase): + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_NeptuneClusterBackupRetention" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "AWS::Neptune::DBCluster.NeptuneDBClusterAdequate", + } + failing_resources = { + "AWS::Neptune::DBCluster.NeptuneDBClusterNotAdequate", + "AWS::Neptune::DBCluster.NeptuneDBClusterDefault", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/cloudformation/graph/checks/test_yaml_policies.py b/tests/cloudformation/graph/checks/test_yaml_policies.py index dcad260ef64..bd1559557ae 100644 --- a/tests/cloudformation/graph/checks/test_yaml_policies.py +++ b/tests/cloudformation/graph/checks/test_yaml_policies.py @@ -6,8 +6,7 @@ from parameterized import parameterized_class from checkov.cloudformation.graph_manager import CloudformationGraphManager -from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector -from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from tests.graph_utils.utils import set_db_connector_by_graph_framework, PARAMETERIZED_GRAPH_FRAMEWORKS from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.models.enums import CheckResult from checkov.common.output.record import Record @@ -18,17 +17,10 @@ file_dir = os.path.dirname(__file__) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestYamlPolicies(TestYamlPoliciesBase): def __init__(self, args): - db_connector = None - if self.graph_framework == 'NETWORKX': - db_connector = NetworkxConnector() - elif self.graph_framework == 'IGRAPH': - db_connector = IgraphConnector() + db_connector = set_db_connector_by_graph_framework(self.graph_framework) graph_manager = CloudformationGraphManager(db_connector=db_connector) super().__init__(graph_manager, os.path.abspath(os.path.join(file_dir, "../../../../checkov/cloudformation/checks/graph_checks")), diff --git a/tests/cloudformation/image_referencer/provider/test_aws.py b/tests/cloudformation/image_referencer/provider/test_aws.py index ef0aa4f261d..4f8f8db6768 100644 --- a/tests/cloudformation/image_referencer/provider/test_aws.py +++ b/tests/cloudformation/image_referencer/provider/test_aws.py @@ -1,16 +1,15 @@ from unittest import mock -import igraph import pytest -from networkx import DiGraph from checkov.cloudformation.image_referencer.provider.aws import AwsCloudFormationProvider -from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image +from tests.graph_utils.utils import GRAPH_FRAMEWORKS, set_graph_by_graph_framework, \ + add_vertices_to_graph_by_graph_framework -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources(graph_framework): # given resource = { @@ -38,18 +37,8 @@ def test_extract_images_from_resources(graph_framework): ], "resource_type": "AWS::ECS::TaskDefinition", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - attr = resource - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=attr[CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in attr else None, - attr=attr, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): @@ -69,7 +58,7 @@ def test_extract_images_from_resources(graph_framework): ] -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources_with_no_image(graph_framework): # given resource = { @@ -87,18 +76,8 @@ def test_extract_images_from_resources_with_no_image(graph_framework): ], "resource_type": "AWS::ECS::TaskDefinition", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - attr = resource - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=attr[CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in attr else None, - attr=attr, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): diff --git a/tests/cloudformation/image_referencer/test_manager.py b/tests/cloudformation/image_referencer/test_manager.py index 5909b5c60b3..f15d780d703 100644 --- a/tests/cloudformation/image_referencer/test_manager.py +++ b/tests/cloudformation/image_referencer/test_manager.py @@ -1,15 +1,14 @@ from unittest import mock -import igraph import pytest -from networkx import DiGraph from checkov.cloudformation.image_referencer.manager import CloudFormationImageReferencerManager -from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image +from tests.graph_utils.utils import set_graph_by_graph_framework, add_vertices_to_graph_by_graph_framework, \ + GRAPH_FRAMEWORKS -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources(graph_framework): aws_resource = { "file_path_": "/ecs.yaml", @@ -29,18 +28,8 @@ def test_extract_images_from_resources(graph_framework): ], "resource_type": "AWS::ECS::TaskDefinition", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - aws_resource = aws_resource - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=aws_resource[CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in aws_resource else None, - attr=aws_resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **aws_resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, aws_resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): diff --git a/tests/cloudformation/image_referencer/test_runner_aws_resources.py b/tests/cloudformation/image_referencer/test_runner_aws_resources.py index 95076ea4c95..6921de5ced6 100644 --- a/tests/cloudformation/image_referencer/test_runner_aws_resources.py +++ b/tests/cloudformation/image_referencer/test_runner_aws_resources.py @@ -13,11 +13,12 @@ mock_get_license_statuses_async, mock_get_image_cached_result_async, ) +from tests.graph_utils.utils import GRAPH_FRAMEWORKS RESOURCES_PATH = Path(__file__).parent / "resources/aws" -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_apprunner_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -79,7 +80,7 @@ def test_apprunner_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_batch_resources(mocker: MockerFixture, graph_framework): # given file_name = "batch.yaml" @@ -126,7 +127,7 @@ def test_batch_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_codebuild_resources(mocker: MockerFixture, graph_framework): # given file_name = "codebuild.yaml" @@ -168,7 +169,7 @@ def test_codebuild_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_ecs_resources(mocker: MockerFixture, graph_framework): # given file_name = "ecs.yaml" @@ -215,7 +216,7 @@ def test_ecs_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_lightsail_resources(mocker: MockerFixture, graph_framework): # given file_name = "lightsail.yaml" diff --git a/tests/cloudformation/runner/test_runner.py b/tests/cloudformation/runner/test_runner.py index f58c8d4a268..cfbd7ed39c4 100644 --- a/tests/cloudformation/runner/test_runner.py +++ b/tests/cloudformation/runner/test_runner.py @@ -400,7 +400,7 @@ def test_parsing_no_properties_yaml(self): report = runner.run(root_folder=None, external_checks_dir=None, files=[scan_file_path], runner_filter=RunnerFilter(framework='cloudformation')) self.assertEqual(len(report.failed_checks), 3) - self.assertEqual(len(report.passed_checks), 2) + self.assertEqual(len(report.passed_checks), 3) def test_runner_honors_enforcement_rules(self): current_dir = os.path.dirname(os.path.realpath(__file__)) @@ -423,7 +423,7 @@ def test_parsing_no_properties_json(self): report = runner.run(root_folder=None, external_checks_dir=None, files=[scan_file_path], runner_filter=RunnerFilter(framework='cloudformation')) self.assertEqual(len(report.failed_checks), 3) - self.assertEqual(len(report.passed_checks), 2) + self.assertEqual(len(report.passed_checks), 3) def test_parsing_error_yaml(self): current_dir = os.path.dirname(os.path.realpath(__file__)) diff --git a/tests/common/checks/test_graph_check_loading.py b/tests/common/checks/test_graph_check_loading.py index 53cca682d62..ec0ad4d633e 100644 --- a/tests/common/checks/test_graph_check_loading.py +++ b/tests/common/checks/test_graph_check_loading.py @@ -38,6 +38,9 @@ def test_external_checks_and_graph_checks_load(self): runner_filter = RunnerFilter(framework=['terraform']) external_graph_checks = 0 + # make sure internal checks are loaded beforehand + runner.graph_registry.load_checks() + # with external yaml checks external graph registry checks count should be equal to the external graph checks extra_checks_dir_path = [current_dir + "/extra_checks", current_dir + "/extra_yaml_checks"] runner.run(root_folder=current_dir, external_checks_dir=extra_checks_dir_path, diff --git a/tests/common/integration_features/test_suppressions_integration.py b/tests/common/integration_features/test_suppressions_integration.py index ecd5faf0446..370867b6e2f 100644 --- a/tests/common/integration_features/test_suppressions_integration.py +++ b/tests/common/integration_features/test_suppressions_integration.py @@ -1,8 +1,8 @@ import unittest -from checkov.common.bridgecrew.integration_features.features.suppressions_integration import SuppressionsIntegration from checkov.common.bridgecrew.integration_features.features.policy_metadata_integration import \ integration as metadata_integration +from checkov.common.bridgecrew.integration_features.features.suppressions_integration import SuppressionsIntegration from checkov.common.bridgecrew.platform_integration import BcPlatformIntegration from checkov.common.models.enums import CheckResult from checkov.common.output.record import Record @@ -450,13 +450,14 @@ def test_supress_by_cve_for_package_scan(self): suppressions_integration._init_repo_regex() suppression = { - 'suppressionType': 'Cves', - 'policyId': 'BC_VUL_2', - 'comment': 'suppress cve ', - 'accountIds': ['customer_some/repo'], - 'cves': [{'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/requirements.txt', 'cve': 'CVE-2022-35920'}, - {'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/requirements.txt', 'cve': 'CVE-2021-23727'}], - 'checkovPolicyId': 'BC_VUL_2' + 'suppressionType': 'Cves', + 'policyId': 'BC_VUL_2', + 'comment': 'suppress cve ', + 'accountIds': ['customer_some/repo'], + 'cves': [ + {'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/requirements.txt', 'cve': 'CVE-2022-35920'}, + {'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/requirements.txt', 'cve': 'CVE-2021-23727'}], + 'checkovPolicyId': 'BC_VUL_2' } record1 = Record(check_id='BC_VUL_2', check_name=None, check_result=None, @@ -489,6 +490,28 @@ def test_supress_by_cve_for_package_scan(self): self.assertFalse(suppressions_integration._check_suppression(record3, suppression)) self.assertFalse(suppressions_integration._check_suppression(record4, suppression)) + def test_suppress_by_cve_with_empty_cves(self): + instance = BcPlatformIntegration() + instance.repo_id = 'repo/path' + suppressions_integration = SuppressionsIntegration(instance) + suppressions_integration._init_repo_regex() + + suppression = { + 'suppressionType': 'Cves', + 'policyId': 'BC_VUL_2', + 'comment': 'suppress cve ', + 'cves': [], + 'checkovPolicyId': 'BC_VUL_2' + } + + record1 = Record(check_id='BC_VUL_2', check_name=None, check_result=None, + code_block=None, file_path='repo/path', + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None, + vulnerability_details={'id': 'CVE-2022-35920'}) + self.assertFalse(suppressions_integration._check_suppression(record1, suppression)) + def test_supress_by_cve_for_package_scan_with_different_repo_id(self): instance = BcPlatformIntegration() instance.repo_id = 'some/repo' @@ -497,13 +520,14 @@ def test_supress_by_cve_for_package_scan_with_different_repo_id(self): suppressions_integration._init_repo_regex() suppression = { - 'suppressionType': 'Cves', - 'policyId': 'BC_VUL_2', - 'comment': 'suppress cve ', - 'accountIds': ['customer_other/repo'], - 'cves': [{'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/requirements.txt', 'cve': 'CVE-2022-35920'}, - {'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/requirements.txt', 'cve': 'CVE-2021-23727'}], - 'checkovPolicyId': 'BC_VUL_2' + 'suppressionType': 'Cves', + 'policyId': 'BC_VUL_2', + 'comment': 'suppress cve ', + 'accountIds': ['customer_other/repo'], + 'cves': [ + {'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/requirements.txt', 'cve': 'CVE-2022-35920'}, + {'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/requirements.txt', 'cve': 'CVE-2021-23727'}], + 'checkovPolicyId': 'BC_VUL_2' } record1 = Record(check_id='BC_VUL_2', check_name=None, check_result=None, @@ -733,11 +757,11 @@ def test_supress_licenses_by_type(self): suppressions_integration = SuppressionsIntegration(instance) suppression = {'suppressionType': 'LicenseType', - 'policyId': 'BC_LIC_1', - 'comment': 'test licenses suppressions by type ', - 'licenseTypes': ['GPL-1.0', 'JSON'], - 'checkovPolicyId': 'BC_LIC_1' - } + 'policyId': 'BC_LIC_1', + 'comment': 'test licenses suppressions by type ', + 'licenseTypes': ['GPL-1.0', 'JSON'], + 'checkovPolicyId': 'BC_LIC_1' + } record1 = Record(check_id='BC_LIC_1', check_name=None, check_result=None, code_block=None, file_path=None, file_line_range=None, @@ -767,7 +791,6 @@ def test_supress_licenses_by_type(self): self.assertFalse(suppressions_integration._check_suppression(record3, suppression)) self.assertFalse(suppressions_integration._check_suppression(record4, suppression)) - def test_account_suppression(self): instance = BcPlatformIntegration() instance.repo_id = 'org/repo' @@ -1023,7 +1046,7 @@ def test_apply_suppressions_to_report(self): self.assertEqual(len(report.passed_checks), 1) self.assertEqual(report.passed_checks[0].check_id, 'CKV_AWS_2') self.assertEqual(len(report.skipped_checks), 2) - + def test_get_policy_level_suppressions(self): instance = BcPlatformIntegration() @@ -1031,7 +1054,7 @@ def test_get_policy_level_suppressions(self): suppressions_integration.suppressions = { 'CKV_AWS_252': [{'suppressionType': 'Policy', 'id': '404088ed-4251-41ac-8dc1-45264af0c461', 'policyId': 'BC_AWS_GENERAL_175', 'creationDate': '2022-11-09T16:27:36.413Z', - 'comment': 'Test2', 'checkovPolicyId': 'CKV_AWS_252'}], + 'comment': 'Test2', 'checkovPolicyId': 'CKV_AWS_252'}], 'CKV_AWS_36': [ {'suppressionType': 'Policy', 'id': 'b68013bc-2908-4c9a-969d-f1640d4aca11', 'policyId': 'BC_AWS_LOGGING_2', @@ -1039,7 +1062,7 @@ def test_get_policy_level_suppressions(self): 'CKV_K8S_27': [ {'suppressionType': 'Policy', 'id': '271c1a79-2333-4a12-bf7d-55ec78468b94', 'policyId': 'BC_K8S_26', 'creationDate': '2022-12-08T08:00:04.561Z', 'comment': 'test checkov suppressions', - 'checkovPolicyId': 'CKV_K8S_27'}], + 'checkovPolicyId': 'CKV_K8S_27'}], 'acme_AWS_1668010000289': [ {'suppressionType': 'Resources', 'id': '5565e523-58da-4bc7-970e-c3fceef93ac1', 'policyId': 'acme_AWS_1668010000289', 'creationDate': '2022-11-09T16:28:50.887Z', @@ -1057,7 +1080,8 @@ def test_get_policy_level_suppressions(self): 'resourceId': '/src/BC_AWS_LOGGING_7.tf:aws_cloudtrail.cloudtrail8'}], 'checkovPolicyId': 'acme_AWS_1668010000289'}]} - expected_suppressions = ['404088ed-4251-41ac-8dc1-45264af0c461', 'b68013bc-2908-4c9a-969d-f1640d4aca11', '271c1a79-2333-4a12-bf7d-55ec78468b94'] + expected_suppressions = ['404088ed-4251-41ac-8dc1-45264af0c461', 'b68013bc-2908-4c9a-969d-f1640d4aca11', + '271c1a79-2333-4a12-bf7d-55ec78468b94'] policy_level_suppressions = suppressions_integration.get_policy_level_suppressions() self.assertEqual(expected_suppressions, list(policy_level_suppressions.keys())) diff --git a/tests/common/sca/reachability/__init__.py b/tests/common/sca/reachability/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/tests/common/sca/reachability/example_repo/tsconfig.json b/tests/common/sca/reachability/example_repo/tsconfig.json new file mode 100644 index 00000000000..69fbc006431 --- /dev/null +++ b/tests/common/sca/reachability/example_repo/tsconfig.json @@ -0,0 +1,8 @@ +{ + "compilerOptions": { + "baseUrl": ".", + "paths": { + "ax": ["node_modules/axios"] + } + } +} \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/__init__.py b/tests/common/sca/reachability/nodejs/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/tests/common/sca/reachability/nodejs/examples/babel/babel_config/babel.config.js b/tests/common/sca/reachability/nodejs/examples/babel/babel_config/babel.config.js new file mode 100644 index 00000000000..f21cd124ab3 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/babel/babel_config/babel.config.js @@ -0,0 +1,9 @@ +{ + "plugins": [ + ["module-resolver", { + "alias": { + "ax": "axios" + } + }] + ] +} \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/babel/babelrc/.babelrc b/tests/common/sca/reachability/nodejs/examples/babel/babelrc/.babelrc new file mode 100644 index 00000000000..f21cd124ab3 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/babel/babelrc/.babelrc @@ -0,0 +1,9 @@ +{ + "plugins": [ + ["module-resolver", { + "alias": { + "ax": "axios" + } + }] + ] +} \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/fake_file/fake.babel.config.js b/tests/common/sca/reachability/nodejs/examples/fake_file/fake.babel.config.js new file mode 100644 index 00000000000..f21cd124ab3 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/fake_file/fake.babel.config.js @@ -0,0 +1,9 @@ +{ + "plugins": [ + ["module-resolver", { + "alias": { + "ax": "axios" + } + }] + ] +} \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/mix/package_json_with_alias/package.json b/tests/common/sca/reachability/nodejs/examples/mix/package_json_with_alias/package.json new file mode 100644 index 00000000000..d2f5026ef39 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/mix/package_json_with_alias/package.json @@ -0,0 +1,5 @@ +{ + "alias": { + "ax": "axios" + } +} \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/mix/vite.config.js b/tests/common/sca/reachability/nodejs/examples/mix/vite.config.js new file mode 100644 index 00000000000..b542651f912 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/mix/vite.config.js @@ -0,0 +1,7 @@ +export default { + resolve: { + alias: { + "ax": "axios" + } + } +}; \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/package_json/package_json_with_alias/package.json b/tests/common/sca/reachability/nodejs/examples/package_json/package_json_with_alias/package.json new file mode 100644 index 00000000000..d2f5026ef39 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/package_json/package_json_with_alias/package.json @@ -0,0 +1,5 @@ +{ + "alias": { + "ax": "axios" + } +} \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/package_json/package_json_with_aliasify/package.json b/tests/common/sca/reachability/nodejs/examples/package_json/package_json_with_aliasify/package.json new file mode 100644 index 00000000000..a2511b86d47 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/package_json/package_json_with_aliasify/package.json @@ -0,0 +1,7 @@ +{ + "aliasify": { + "aliases": { + "ax": "axios" + } + } +} \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/rollup/rollup.config.js b/tests/common/sca/reachability/nodejs/examples/rollup/rollup.config.js new file mode 100644 index 00000000000..2aea10b8e49 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/rollup/rollup.config.js @@ -0,0 +1,11 @@ +import alias from '@rollup/plugin-alias'; + +export default { + plugins: [ + alias({ + entries: [ + { find: 'ax', replacement: 'axios' } + ] + }) + ] +}; \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/snowpack/snowpack.config.js b/tests/common/sca/reachability/nodejs/examples/snowpack/snowpack.config.js new file mode 100644 index 00000000000..160e53671cb --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/snowpack/snowpack.config.js @@ -0,0 +1,5 @@ +module.exports = { + alias: { + "ax": "axios" + } +}; \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/tsconfig/tsconfig.json b/tests/common/sca/reachability/nodejs/examples/tsconfig/tsconfig.json new file mode 100644 index 00000000000..69fbc006431 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/tsconfig/tsconfig.json @@ -0,0 +1,8 @@ +{ + "compilerOptions": { + "baseUrl": ".", + "paths": { + "ax": ["node_modules/axios"] + } + } +} \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/vite/vite.config.js b/tests/common/sca/reachability/nodejs/examples/vite/vite.config.js new file mode 100644 index 00000000000..b542651f912 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/vite/vite.config.js @@ -0,0 +1,7 @@ +export default { + resolve: { + alias: { + "ax": "axios" + } + } +}; \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/examples/webpack/webpack.config.js b/tests/common/sca/reachability/nodejs/examples/webpack/webpack.config.js new file mode 100644 index 00000000000..4344076893f --- /dev/null +++ b/tests/common/sca/reachability/nodejs/examples/webpack/webpack.config.js @@ -0,0 +1,7 @@ +module.exports = { + resolve: { + alias: { + ax: 'axios' + } + } +}; \ No newline at end of file diff --git a/tests/common/sca/reachability/nodejs/test_javascript_alias_mapping_strategy.py b/tests/common/sca/reachability/nodejs/test_javascript_alias_mapping_strategy.py new file mode 100644 index 00000000000..cd678f3a814 --- /dev/null +++ b/tests/common/sca/reachability/nodejs/test_javascript_alias_mapping_strategy.py @@ -0,0 +1,85 @@ +import os +from typing import Dict, Any +from checkov.common.sca.reachability.nodejs.nodejs_alias_mapping_strategy import NodejsAliasMappingStrategy + +current_dir = os.path.dirname(os.path.realpath(__file__)) + + +def test_create_alias_mapping_from_webpack_file(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "webpack") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'webpack.config.js': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_from_babelrc_file(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "babel", "babelrc") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'.babelrc': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_from_babel_config_file(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "babel", "babel_config") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'babel.config.js': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_from_rollup_file(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "rollup") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'rollup.config.js': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_from_package_json_alias(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "package_json", "package_json_with_alias") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'package.json': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_from_package_json_aliasify(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "package_json", "package_json_with_aliasify") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'package.json': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_from_snowpack(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "snowpack") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'snowpack.config.js': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_from_vite(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "vite") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'vite.config.js': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_mix(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "mix") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {'nodejs': {'repositories': {'supplygoat': {'files': {'vite.config.js': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}, 'package_json_with_alias/package.json': {'packageAliases': {'axios': {'packageAliases': ['ax']}}}}}}}}} + + +def test_create_alias_mapping_from_fake(): + strategy_object = NodejsAliasMappingStrategy() + root_dir = os.path.join(current_dir, "examples", "fake_file") + alias_mapping: Dict[str, Any] = {"languages": {}} + strategy_object.update_alias_mapping(alias_mapping, "supplygoat", root_dir, {'axios'}) + assert alias_mapping == {'languages': {}} diff --git a/tests/common/sca/reachability/test_alias_mapping_creator.py b/tests/common/sca/reachability/test_alias_mapping_creator.py new file mode 100644 index 00000000000..440eb0e8dd4 --- /dev/null +++ b/tests/common/sca/reachability/test_alias_mapping_creator.py @@ -0,0 +1,29 @@ +import os +from checkov.common.sca.reachability.alias_mapping_creator import AliasMappingCreator + +current_dir = os.path.dirname(os.path.realpath(__file__)) + + +def test_alias_mapping_creator(): + alias_mapping_creator = AliasMappingCreator() + alias_mapping_creator.update_alias_mapping_for_repository("example_repo", os.path.join(current_dir, "example_repo"), {'axios'}) + alias_mapping = alias_mapping_creator.get_alias_mapping() + assert alias_mapping == { + "languages": { + "nodejs": { + "repositories": { + "example_repo": { + "files": { + "tsconfig.json": { + "packageAliases": { + "axios": { + "packageAliases":["ax"] + } + } + } + } + } + } + } + } + } diff --git a/tests/dockerfile/graph_builder/checks/test_yaml_policies.py b/tests/dockerfile/graph_builder/checks/test_yaml_policies.py index d641a089b7e..c3dceab0ad6 100644 --- a/tests/dockerfile/graph_builder/checks/test_yaml_policies.py +++ b/tests/dockerfile/graph_builder/checks/test_yaml_policies.py @@ -4,8 +4,7 @@ from typing import List from parameterized import parameterized_class -from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector -from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from tests.graph_utils.utils import set_db_connector_by_graph_framework, PARAMETERIZED_GRAPH_FRAMEWORKS from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.models.enums import CheckResult from checkov.common.output.record import Record @@ -15,19 +14,12 @@ from tests.common.graph.checks.test_yaml_policies_base import TestYamlPoliciesBase -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestYamlPolicies(TestYamlPoliciesBase): def __init__(self, args): - db_connector = None - if self.graph_framework == 'NETWORKX': - db_connector = NetworkxConnector - elif self.graph_framework == 'IGRAPH': - db_connector = IgraphConnector + db_connector = set_db_connector_by_graph_framework(self.graph_framework) - graph_manager = DockerfileGraphManager(db_connector=db_connector()) + graph_manager = DockerfileGraphManager(db_connector=db_connector) super().__init__( graph_manager=graph_manager, real_graph_checks_path=str( diff --git a/tests/github_actions/checks/graph_checks/test_yaml_policies.py b/tests/github_actions/checks/graph_checks/test_yaml_policies.py index 5c901ca66f3..cf97e82ad77 100644 --- a/tests/github_actions/checks/graph_checks/test_yaml_policies.py +++ b/tests/github_actions/checks/graph_checks/test_yaml_policies.py @@ -4,8 +4,7 @@ from typing import List from parameterized import parameterized_class -from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector -from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from tests.graph_utils.utils import set_db_connector_by_graph_framework, PARAMETERIZED_GRAPH_FRAMEWORKS from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.models.enums import CheckResult from checkov.common.output.record import Record @@ -16,17 +15,10 @@ from tests.common.graph.checks.test_yaml_policies_base import TestYamlPoliciesBase -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestYamlPolicies(TestYamlPoliciesBase): def __init__(self, args): - db_connector = None - if self.graph_framework == 'NETWORKX': - db_connector = NetworkxConnector() - elif self.graph_framework == 'IGRAPH': - db_connector = IgraphConnector() + db_connector = set_db_connector_by_graph_framework(self.graph_framework) graph_manager = ObjectGraphManager(db_connector=db_connector, source="GitHubActions") super().__init__( diff --git a/tests/graph_utils/__init__.py b/tests/graph_utils/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/tests/graph_utils/utils.py b/tests/graph_utils/utils.py new file mode 100644 index 00000000000..4e45f6e3e7b --- /dev/null +++ b/tests/graph_utils/utils.py @@ -0,0 +1,89 @@ +from __future__ import annotations + +from typing import Any + +import igraph +from networkx import DiGraph +from rustworkx import PyDiGraph + +from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector +from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from checkov.common.graph.db_connectors.rustworkx.rustworkx_db_connector import RustworkxConnector +from checkov.common.graph.graph_builder import CustomAttributes +from checkov.common.typing import LibraryGraph + +GRAPH_FRAMEWORKS = ['NETWORKX', 'IGRAPH', 'RUSTWORKX'] +PARAMETERIZED_GRAPH_FRAMEWORKS = [ + {"graph_framework": "NETWORKX"}, + {"graph_framework": "IGRAPH"}, + {"graph_framework": "RUSTWORKX"} +] + + +def set_db_connector_by_graph_framework(graph_framework: str) -> Any: + if graph_framework == 'NETWORKX': + return NetworkxConnector() + elif graph_framework == 'IGRAPH': + return IgraphConnector() + elif graph_framework == 'RUSTWORKX': + return RustworkxConnector() + return None + + +def set_graph_by_graph_framework(graph_framework: str) -> LibraryGraph: + if graph_framework == 'NETWORKX': + graph = DiGraph() + elif graph_framework == 'IGRAPH': + graph = igraph.Graph() + else: # graph_framework == 'RUSTWORKX' + graph = PyDiGraph() + return graph + + +def set_graph_with_resource_by_graph_framework(graph_framework: str, resource: dict[str, Any], module_resource: dict[str, Any] | None = None) -> LibraryGraph: + if graph_framework == 'IGRAPH': + graph = igraph.Graph() + attr = resource + graph.add_vertex( + name='1', + block_type_='resource', + resource_type=attr[CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in attr else None, + attr=attr, + ) + if module_resource: + graph.add_vertex( + name='batch', + block_type_='module', + resource_type=module_resource[ + CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in module_resource else None, + attr=module_resource, + ) + + elif graph_framework == 'NETWORKX': + graph = DiGraph() + graph.add_node(1, **resource) + if module_resource: + graph.add_node(2, **module_resource) + + else: # graph_framework == 'RUSTWORKX' + graph = PyDiGraph() + graph.add_node((0, resource)) + if module_resource: + graph.add_node((1, module_resource)) + + return graph + + +def add_vertices_to_graph_by_graph_framework(graph_framework: str, vertices: dict[str, Any], graph: LibraryGraph, index: int = 1, name: str = '1', block_type: str = 'resource') -> None: + if graph_framework == 'IGRAPH': + graph.add_vertex( + name=name, + block_type_=block_type, + resource_type=vertices[CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in vertices else None, + attr=vertices, + ) + elif graph_framework == 'NETWORKX': + graph.add_node(index, **vertices) + + else: # graph_framework == 'RUSTWORKX' + graph.add_node((index-1, vertices)) diff --git a/tests/kubernetes/graph/checks/test_yaml_policies.py b/tests/kubernetes/graph/checks/test_yaml_policies.py index ae1937dabda..f0f31ea1c8a 100644 --- a/tests/kubernetes/graph/checks/test_yaml_policies.py +++ b/tests/kubernetes/graph/checks/test_yaml_policies.py @@ -4,8 +4,7 @@ from parameterized import parameterized_class -from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector -from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from tests.graph_utils.utils import set_db_connector_by_graph_framework, PARAMETERIZED_GRAPH_FRAMEWORKS from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.models.enums import CheckResult from checkov.common.output.record import Record @@ -14,20 +13,13 @@ from tests.common.graph.checks.test_yaml_policies_base import TestYamlPoliciesBase -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestYamlPolicies(TestYamlPoliciesBase): def tearDown(self) -> None: self.get_checks_registry().checks = [] def __init__(self, args): - db_connector = None - if self.graph_framework == 'NETWORKX': - db_connector = NetworkxConnector() - elif self.graph_framework == 'IGRAPH': - db_connector = IgraphConnector() + db_connector = set_db_connector_by_graph_framework(self.graph_framework) graph_manager = KubernetesGraphManager(db_connector=db_connector) real_graph_checks_relative_path = "checkov/kubernetes/checks/graph_checks" real_graph_checks_path = os.path.join(os.path.dirname(__file__), '..', '..', '..', '..', diff --git a/tests/kubernetes/graph/test_running_graph_checks.py b/tests/kubernetes/graph/test_running_graph_checks.py index a3aafcaf81f..0d07c418848 100644 --- a/tests/kubernetes/graph/test_running_graph_checks.py +++ b/tests/kubernetes/graph/test_running_graph_checks.py @@ -5,11 +5,12 @@ from checkov.kubernetes.runner import Runner from checkov.runner_filter import RunnerFilter +from tests.graph_utils.utils import GRAPH_FRAMEWORKS RESOURCES_DIR = Path(__file__).parent / "resources" -@pytest.mark.parametrize("graph_framework", ["NETWORKX", "IGRAPH"]) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_runner(mocker: MockerFixture, graph_framework): # given test_file_path = RESOURCES_DIR / "graph_check.yaml" diff --git a/tests/kubernetes/image_referencer/provider/test_k8s.py b/tests/kubernetes/image_referencer/provider/test_k8s.py index ebd062c38f3..4afa7e9dcc8 100644 --- a/tests/kubernetes/image_referencer/provider/test_k8s.py +++ b/tests/kubernetes/image_referencer/provider/test_k8s.py @@ -1,15 +1,13 @@ from unittest import mock -import igraph import pytest -from networkx import DiGraph - -from checkov.common.graph.graph_builder import CustomAttributes from checkov.kubernetes.image_referencer.provider.k8s import KubernetesProvider from checkov.common.images.image_referencer import Image +from tests.graph_utils.utils import GRAPH_FRAMEWORKS, set_graph_by_graph_framework, \ + add_vertices_to_graph_by_graph_framework -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources(graph_framework): # given resource = { @@ -32,17 +30,8 @@ def test_extract_images_from_resources(graph_framework): }, "resource_type": "Pod", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): @@ -64,7 +53,7 @@ def test_extract_images_from_resources(graph_framework): assert busybox_image in images -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources_with_no_image(graph_framework): # given resource = { @@ -80,18 +69,8 @@ def test_extract_images_from_resources_with_no_image(graph_framework): }, "resource_type": "Pod", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): diff --git a/tests/kubernetes/image_referencer/test_manager.py b/tests/kubernetes/image_referencer/test_manager.py index e2e9e367734..027d5178204 100644 --- a/tests/kubernetes/image_referencer/test_manager.py +++ b/tests/kubernetes/image_referencer/test_manager.py @@ -1,16 +1,13 @@ from unittest import mock -import igraph import pytest -from networkx import DiGraph - -from checkov.common.graph.graph_builder import CustomAttributes from checkov.kubernetes.image_referencer.manager import KubernetesImageReferencerManager from checkov.common.images.image_referencer import Image -from checkov.kubernetes.runner import Runner as KubernetesRunner +from tests.graph_utils.utils import set_graph_by_graph_framework, GRAPH_FRAMEWORKS, \ + add_vertices_to_graph_by_graph_framework -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources(graph_framework): # given resource = { @@ -27,18 +24,8 @@ def test_extract_images_from_resources(graph_framework): }, "resource_type": "Pod", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): @@ -56,8 +43,8 @@ def test_extract_images_from_resources(graph_framework): ] -@pytest.fixture() -def graph_resource_with_containers_and_init_containers(): +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) +def test_no_duplications_while_extracting_image_names(graph_framework): resource = { "file_path_": "/pod.yaml", "__endline__": 16, @@ -78,20 +65,11 @@ def graph_resource_with_containers_and_init_containers(): }, "resource_type": "Pod", } - graph = igraph.Graph() - graph.add_vertex( - name='duplicated_image', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - return graph - - -def test_no_duplications_while_extracting_image_names(graph_resource_with_containers_and_init_containers: igraph.Graph): - manager = KubernetesImageReferencerManager(graph_connector=graph_resource_with_containers_and_init_containers) - images = manager.extract_images_from_resources() + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph, 1, 'duplicated_image') + with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): + manager = KubernetesImageReferencerManager(graph_connector=graph) + images = manager.extract_images_from_resources() assert len(images) == 1 image = images[0] assert image.name == 'nginx' diff --git a/tests/kubernetes/image_referencer/test_runner_k8s_resources.py b/tests/kubernetes/image_referencer/test_runner_k8s_resources.py index 83e2e656880..3d2e46898a3 100644 --- a/tests/kubernetes/image_referencer/test_runner_k8s_resources.py +++ b/tests/kubernetes/image_referencer/test_runner_k8s_resources.py @@ -1,10 +1,7 @@ -import os -import unittest from pathlib import Path from unittest import mock import pytest -from parameterized import parameterized_class from pytest_mock import MockerFixture from checkov.common.bridgecrew.bc_source import get_source_type @@ -16,11 +13,12 @@ mock_get_license_statuses_async, mock_get_image_cached_result_async, ) +from tests.graph_utils.utils import GRAPH_FRAMEWORKS RESOURCES_PATH = Path(__file__).parent / "resources/k8s" -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_pod_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -79,7 +77,7 @@ def test_pod_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_cron_job_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -126,7 +124,7 @@ def test_cron_job_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_daemon_set_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -173,7 +171,7 @@ def test_daemon_set_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_deployment_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -220,7 +218,7 @@ def test_deployment_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_deployment_config_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -267,7 +265,7 @@ def test_deployment_config_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_job_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -314,7 +312,7 @@ def test_job_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_pod_template_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -361,7 +359,7 @@ def test_pod_template_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_replica_set_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -408,7 +406,7 @@ def test_replica_set_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_replication_controller_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -458,7 +456,7 @@ def test_replication_controller_resources(mocker: MockerFixture, graph_framework assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_stateful_set_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration diff --git a/tests/kustomize/graph/test_running_graph_checks.py b/tests/kustomize/graph/test_running_graph_checks.py index 9c58b00f5d0..58281722d73 100644 --- a/tests/kustomize/graph/test_running_graph_checks.py +++ b/tests/kustomize/graph/test_running_graph_checks.py @@ -6,9 +6,10 @@ import os from checkov.kustomize.runner import Runner from checkov.runner_filter import RunnerFilter +from tests.graph_utils.utils import GRAPH_FRAMEWORKS -@pytest.mark.parametrize("graph_framework", ["NETWORKX", "IGRAPH"]) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_runner(mocker: MockerFixture, graph_framework): scan_dir_path = Path(__file__).parent / "resources" / "example_checks" dir_rel_path = os.path.realpath(scan_dir_path).replace('\\', '/') diff --git a/tests/openapi/checks/resource/generic/example_SecurityOperations/pass2.json b/tests/openapi/checks/resource/generic/example_SecurityOperations/pass2.json index adb94d6be15..4e55d60d5d2 100644 --- a/tests/openapi/checks/resource/generic/example_SecurityOperations/pass2.json +++ b/tests/openapi/checks/resource/generic/example_SecurityOperations/pass2.json @@ -1,5 +1,5 @@ { - "swagger": "2.0", + "openapi": "3.0.0", "info": { "title": "example", "version": "1.0.0", diff --git a/tests/openapi/checks/resource/generic/example_SecurityOperations/pass2.yaml b/tests/openapi/checks/resource/generic/example_SecurityOperations/pass2.yaml index a9ec6590ab9..56b31b527d5 100644 --- a/tests/openapi/checks/resource/generic/example_SecurityOperations/pass2.yaml +++ b/tests/openapi/checks/resource/generic/example_SecurityOperations/pass2.yaml @@ -1,4 +1,4 @@ -swagger: "2.0" +openapi: 3.0.0 info: title: example version: 1.0.0 @@ -27,4 +27,4 @@ paths: type: string required: - code - - message \ No newline at end of file + - message diff --git a/tests/openapi/checks/resource/generic/example_SecurityOperations/pass3.json b/tests/openapi/checks/resource/generic/example_SecurityOperations/pass3.json new file mode 100644 index 00000000000..89ed1dde57a --- /dev/null +++ b/tests/openapi/checks/resource/generic/example_SecurityOperations/pass3.json @@ -0,0 +1,55 @@ +{ + "openapi": "3.0.3", + "info": { + "title": "example", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "security": [ + { + "ApiKeyAuth": [] + } + ], + "paths": { + "/": { + "get": { + "operationId": "id", + "summary": "example", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "ApiKeyAuth": { + "type": "apiKey", + "in": "header", + "name": "X-API-KEY" + } + } + } +} \ No newline at end of file diff --git a/tests/openapi/checks/resource/generic/example_SecurityOperations/pass3.yaml b/tests/openapi/checks/resource/generic/example_SecurityOperations/pass3.yaml new file mode 100644 index 00000000000..340957dbf32 --- /dev/null +++ b/tests/openapi/checks/resource/generic/example_SecurityOperations/pass3.yaml @@ -0,0 +1,35 @@ +openapi: "3.0.3" +info: + title: example + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +security: + - ApiKeyAuth: [] +paths: + "/": + get: + operationId: id + summary: example + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message +components: + securitySchemes: + ApiKeyAuth: + type: apiKey + in: header + name: X-API-KEY \ No newline at end of file diff --git a/tests/openapi/checks/resource/generic/test_SecurityOperations.py b/tests/openapi/checks/resource/generic/test_SecurityOperations.py index 05ce403b60b..6f677bda049 100644 --- a/tests/openapi/checks/resource/generic/test_SecurityOperations.py +++ b/tests/openapi/checks/resource/generic/test_SecurityOperations.py @@ -23,6 +23,8 @@ def test_summary(self): "/pass1.json", "/pass2.yaml", "/pass2.json", + "/pass3.yaml", + "/pass3.json", } failing_resources = { "/fail1.yaml", diff --git a/tests/sca_package_2/test_runner.py b/tests/sca_package_2/test_runner.py index 8e5fc4b61c8..abad65b06b5 100644 --- a/tests/sca_package_2/test_runner.py +++ b/tests/sca_package_2/test_runner.py @@ -1,3 +1,4 @@ +import os from pathlib import Path from mock.mock import MagicMock @@ -74,40 +75,48 @@ def test_upload_scannable_files_exclude_go_and_requirements(): def test_upload_scannable_files_file_config(): - # when - input_output_paths = Runner().upload_package_files( - root_path=None, - files=[ - str(EXAMPLES_DIR / 'requirements.txt'), - str(EXAMPLES_DIR / 'go.sum'), - str(EXAMPLES_DIR / 'package-lock.json'), - str(EXAMPLES_DIR / 'package.json'), - str(EXAMPLES_DIR / 'go.mod'), - str(EXAMPLES_DIR / 'Microsoft.NET.Sdk.csproj') - ], - excluded_paths=set(), - excluded_file_names=set() - ) - # expected - expected_output = { - FileToPersist(full_file_path=str(EXAMPLES_DIR / 'requirements.txt'), - s3_file_key='requirements.txt'), - FileToPersist(full_file_path=str(EXAMPLES_DIR / 'go.sum'), - s3_file_key='go.sum'), - FileToPersist(full_file_path=str(EXAMPLES_DIR / 'package-lock.json'), - s3_file_key='package-lock.json'), - FileToPersist(full_file_path=str(EXAMPLES_DIR / 'package.json'), - s3_file_key='package.json'), - FileToPersist(full_file_path=str(EXAMPLES_DIR / 'go.mod'), - s3_file_key='go.mod'), - FileToPersist(full_file_path=str(EXAMPLES_DIR / 'Microsoft.NET.Sdk.csproj'), - s3_file_key='Microsoft.NET.Sdk.csproj') - } + origin_cwd = os.getcwd() + try: + # setup + os.chdir(str(Path(__file__).parent)) + + # when + input_output_paths = Runner().upload_package_files( + root_path=None, + files=[ + str(EXAMPLES_DIR / 'requirements.txt'), + str(EXAMPLES_DIR / 'go.sum'), + str(EXAMPLES_DIR / 'package-lock.json'), + str(EXAMPLES_DIR / 'package.json'), + str(EXAMPLES_DIR / 'go.mod'), + str(EXAMPLES_DIR / 'Microsoft.NET.Sdk.csproj') + ], + excluded_paths=set(), + excluded_file_names=set() + ) + # expected (paths are in related to the test-working-dir) + expected_output = { + FileToPersist(full_file_path=str(EXAMPLES_DIR / 'requirements.txt'), + s3_file_key='examples/requirements.txt'), + FileToPersist(full_file_path=str(EXAMPLES_DIR / 'go.sum'), + s3_file_key='examples/go.sum'), + FileToPersist(full_file_path=str(EXAMPLES_DIR / 'package-lock.json'), + s3_file_key='examples/package-lock.json'), + FileToPersist(full_file_path=str(EXAMPLES_DIR / 'package.json'), + s3_file_key='examples/package.json'), + FileToPersist(full_file_path=str(EXAMPLES_DIR / 'go.mod'), + s3_file_key='examples/go.mod'), + FileToPersist(full_file_path=str(EXAMPLES_DIR / 'Microsoft.NET.Sdk.csproj'), + s3_file_key='examples/Microsoft.NET.Sdk.csproj') + } - # then - assert len(input_output_paths) == 6 + # then + assert len(input_output_paths) == 6 - assert set(input_output_paths) == expected_output + assert set(input_output_paths) == expected_output + finally: + # teardown + os.chdir(origin_cwd) def test_run(sca_package_2_report): diff --git a/tests/terraform/checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf b/tests/terraform/checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf new file mode 100644 index 00000000000..4c23bf01353 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf @@ -0,0 +1,35 @@ +resource "aws_lambda_function" "pass" { + filename = "lambda_function_payload.zip" + function_name = "lambda_function_name" + role = aws_iam_role.iam_for_lambda.arn + handler = "index.test" + runtime = "nodejs18.x" + + ephemeral_storage { + size = 10240 # Min 512 MB and the Max 10240 MB + } +} + +resource "aws_lambda_function" "fail" { + filename = "lambda_function_payload.zip" + function_name = "lambda_function_name" + role = aws_iam_role.iam_for_lambda.arn + handler = "index.test" + runtime = "python3.6" + + ephemeral_storage { + size = 10240 # Min 512 MB and the Max 10240 MB + } +} + +resource "aws_lambda_function" "fail2" { + filename = "lambda_function_payload.zip" + function_name = "lambda_function_name" + role = aws_iam_role.iam_for_lambda.arn + handler = "index.test" + runtime = "dotnetcore3.1" + + ephemeral_storage { + size = 10240 # Min 512 MB and the Max 10240 MB + } +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/example_DocDBBackupRetention/main.tf b/tests/terraform/checks/resource/aws/example_DocDBBackupRetention/main.tf new file mode 100644 index 00000000000..f32dd0036b5 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_DocDBBackupRetention/main.tf @@ -0,0 +1,31 @@ +# pass + +resource "aws_docdb_cluster" "pass" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" # checkov:skip=CKV_SECRET_6 test secret + + backup_retention_period = 7 +} + + + +# fail + +resource "aws_docdb_cluster" "fail_no_value" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" # checkov:skip=CKV_SECRET_6 test secret +} + + +resource "aws_docdb_cluster" "fail_value_not_adequate" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" # checkov:skip=CKV_SECRET_6 test secret + + backup_retention_period = 3 +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission.tf b/tests/terraform/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission.tf new file mode 100644 index 00000000000..d17f2b319f0 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_LambdaServicePermission/LambdaServicePermission.tf @@ -0,0 +1,37 @@ +## SHOULD PASS: This permission specifies a source_arn, therefore is not globally available. +resource "aws_lambda_permission" "ckv_unittest_pass_source_arn" { + statement_id = "AllowMyDemoAPIInvoke" + action = "lambda:InvokeFunction" + function_name = "MyDemoFunction" + principal = "apigateway.amazonaws.com" + + # The /*/*/* part allows invocation from any stage, method and resource path + # within API Gateway REST API. + source_arn = "${aws_api_gateway_rest_api.MyDemoAPI.execution_arn}/*/*/*" +} + +## SHOULD PASS: This permission specifies a source_account, therefore is not globally available. +resource "aws_lambda_permission" "ckv_unittest_pass_source_account" { + statement_id = "AllowMyDemoAPIInvoke" + action = "lambda:InvokeFunction" + function_name = "MyDemoFunction" + principal = "apigateway.amazonaws.com" + + source_account = "901234678" +} + +## SHOULD UNKNOWN: This permission specifies a principal as an account ID. +resource "aws_lambda_permission" "ckv_unittest_unknown_principal" { + statement_id = "AllowMyDemoAPIInvoke" + action = "lambda:InvokeFunction" + function_name = "MyDemoFunction" + principal = "901234678" +} + +## SHOULD FAIL: This allows any serviceprincpal across all accounts to access +resource "aws_lambda_permission" "ckv_unittest_fail" { + statement_id = "AllowMyDemoAPIInvoke" + action = "lambda:InvokeFunction" + function_name = "MyDemoFunction" + principal = "apigateway.amazonaws.com" +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention.tf b/tests/terraform/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention.tf new file mode 100644 index 00000000000..13214a996c6 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_NeptuneClusterBackupRetention/NeptuneClusterBackupRetention.tf @@ -0,0 +1,19 @@ +## SHOULD PASS: backup retention to 7 or more +resource "aws_neptune_cluster" "ckv_unittest_pass" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 7 +} + +## SHOULD FAIL: backup retention to less than 7 +resource "aws_neptune_cluster" "ckv_unittest_fail_not_adequate" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 3 +} + +## SHOULD FAIL: backup retention not set (default is 1) +resource "aws_neptune_cluster" "ckv_unittest_fail_default" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/example_NeptuneDBClustersCopyTagsToSnapshots/NeptuneDBClustersCopyTagsToSnapshots.tf b/tests/terraform/checks/resource/aws/example_NeptuneDBClustersCopyTagsToSnapshots/NeptuneDBClustersCopyTagsToSnapshots.tf new file mode 100644 index 00000000000..be8f4066bfd --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_NeptuneDBClustersCopyTagsToSnapshots/NeptuneDBClustersCopyTagsToSnapshots.tf @@ -0,0 +1,14 @@ +## SHOULD PASS: has copy_tags_to_snapshot = true +resource "aws_neptune_cluster" "ckv_unittest_pass" { + copy_tags_to_snapshot = true +} + +## SHOULD FAIL: doens't have copy_tags_to_snapshot +resource "aws_neptune_cluster" "ckv_unittest_fail" { + copy_tags_to_snapshot = false +} + +## SHOULD FAIL: have copy_tags_to_snapshot = false +resource "aws_neptune_cluster" "ckv_unittest2_fail" { + ## Your test here +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.tf b/tests/terraform/checks/resource/aws/example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.tf new file mode 100644 index 00000000000..16f21de1a0f --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.tf @@ -0,0 +1,20 @@ +## SHOULD PASS: iam_database_authentication_enabled set to true +resource "aws_neptune_cluster" "ckv_unittest_pass" { + ## Your test here + cluster_identifier = "bla" + iam_database_authentication_enabled = true +} + +## SHOULD FAIL: iam_database_authentication_enabled set to false +resource "aws_neptune_cluster" "ckv_unittest_fail" { + ## Your test here + cluster_identifier = "bla_fail" + iam_database_authentication_enabled = false +} + + +## SHOULD FAIL: iam_database_authentication_enabled doesn't exist +resource "aws_neptune_cluster" "ckv_unittest2_fail" { + ## Your test here + cluster_identifier = "bla_fail" +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/example_S3AbortIncompleteUploads/main.tf b/tests/terraform/checks/resource/aws/example_S3AbortIncompleteUploads/main.tf index 5d3c6f95f25..6c84899aa88 100644 --- a/tests/terraform/checks/resource/aws/example_S3AbortIncompleteUploads/main.tf +++ b/tests/terraform/checks/resource/aws/example_S3AbortIncompleteUploads/main.tf @@ -197,3 +197,29 @@ resource "aws_s3_bucket_lifecycle_configuration" "pass3" { status = "Enabled" } } + +resource "aws_s3_bucket_lifecycle_configuration" "resource_with_dynamic_rule_pass4" { + bucket = aws_s3_bucket.main.bucket + + rule { + id = "abort_incomplete_multipart_upload" + status = "Enabled" + + abort_incomplete_multipart_upload { + days_after_initiation = var.config.abort_incomplete_multipart_upload + } + } + + dynamic "rule" { + for_each = local.lifecycle_rules.storage_class + + content { + id = "storage_class_is_${var.config.storage_class}" + status = "Enabled" + + transition { + storage_class = var.config.storage_class + } + } + } +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/test_DeprecatedLambdaRuntime.py b/tests/terraform/checks/resource/aws/test_DeprecatedLambdaRuntime.py new file mode 100644 index 00000000000..18518843672 --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_DeprecatedLambdaRuntime.py @@ -0,0 +1,44 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.aws.DeprecatedLambdaRuntime import check +from checkov.terraform.runner import Runner + + +class TestDeprecatedLambdaRuntime(unittest.TestCase): + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_DeprecatedLambdaRuntime" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "aws_lambda_function.pass", + } + + failing_resources = { + "aws_lambda_function.fail", + "aws_lambda_function.fail2", + } + + skipped_resources = {} + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/terraform/checks/resource/aws/test_DocDBBackupRetention.py b/tests/terraform/checks/resource/aws/test_DocDBBackupRetention.py new file mode 100644 index 00000000000..cd4c2494521 --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_DocDBBackupRetention.py @@ -0,0 +1,43 @@ +import unittest + +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.common.models.enums import CheckResult +from checkov.terraform.checks.resource.aws.DocDBBackupRetention import check + + +class TestDocDBBackupRetention(unittest.TestCase): + + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_DocDBBackupRetention" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "aws_docdb_cluster.pass", + } + failing_resources = { + "aws_docdb_cluster.fail_no_value", + "aws_docdb_cluster.fail_value_not_adequate" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["parsing_errors"], 0) + self.assertEqual(summary["resource_count"], 3) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + +if __name__ == '__main__': + unittest.main() diff --git a/tests/terraform/checks/resource/aws/test_LambdaServicePermission.py b/tests/terraform/checks/resource/aws/test_LambdaServicePermission.py new file mode 100644 index 00000000000..9687142adf7 --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_LambdaServicePermission.py @@ -0,0 +1,46 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.aws.LambdaServicePermission import check + + +class TestLambdaServicePermission(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_LambdaServicePermission") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'aws_lambda_permission.ckv_unittest_pass_source_arn', + 'aws_lambda_permission.ckv_unittest_pass_source_account' + } + failing_resources = { + 'aws_lambda_permission.ckv_unittest_fail', + } + unknown_resources = { + 'aws_lambda_permission.ckv_unittest_pass_principal', + } + + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/test_NeptuneClusterBackupRetention.py b/tests/terraform/checks/resource/aws/test_NeptuneClusterBackupRetention.py new file mode 100644 index 00000000000..bc0930e00db --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_NeptuneClusterBackupRetention.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.aws.NeptuneClusterBackupRetention import check + + +class TestNeptuneClusterBackupRetention(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_NeptuneClusterBackupRetention") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'aws_neptune_cluster.ckv_unittest_pass' + } + failing_resources = { + 'aws_neptune_cluster.ckv_unittest_fail_not_adequate', + 'aws_neptune_cluster.ckv_unittest_fail_default' + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/test_NeptuneDBClustersCopyTagsToSnapshots.py b/tests/terraform/checks/resource/aws/test_NeptuneDBClustersCopyTagsToSnapshots.py new file mode 100644 index 00000000000..78f91e27700 --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_NeptuneDBClustersCopyTagsToSnapshots.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.aws.NeptuneDBClustersCopyTagsToSnapshots import check + + +class TestNeptuneDBClustersCopyTagsToSnapshots(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_NeptuneDBClustersCopyTagsToSnapshots") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'aws_neptune_cluster.ckv_unittest_pass' + } + failing_resources = { + 'aws_neptune_cluster.ckv_unittest_fail', + 'aws_neptune_cluster.ckv_unittest2_fail', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/test_NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py b/tests/terraform/checks/resource/aws/test_NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py new file mode 100644 index 00000000000..c8d67a82f5d --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.aws.NeptuneDBClustersIAMDatabaseAuthenticationEnabled import check + + +class TestNeptuneDBClustersIAMDatabaseAuthenticationEnabled(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_NeptuneDBClustersIAMDatabaseAuthenticationEnabled") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'aws_neptune_cluster.ckv_unittest_pass' + } + failing_resources = { + 'aws_neptune_cluster.ckv_unittest_fail', + 'aws_neptune_cluster.ckv_unittest2_fail', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/test_S3AbortIncompleteUploads.py b/tests/terraform/checks/resource/aws/test_S3AbortIncompleteUploads.py index 246169fb1be..4d8972ace47 100644 --- a/tests/terraform/checks/resource/aws/test_S3AbortIncompleteUploads.py +++ b/tests/terraform/checks/resource/aws/test_S3AbortIncompleteUploads.py @@ -22,6 +22,7 @@ def test(self): "aws_s3_bucket_lifecycle_configuration.pass", "aws_s3_bucket_lifecycle_configuration.pass2", "aws_s3_bucket_lifecycle_configuration.pass3", + "aws_s3_bucket_lifecycle_configuration.resource_with_dynamic_rule_pass4" } failing_resources = { "aws_s3_bucket_lifecycle_configuration.fail", @@ -40,6 +41,5 @@ def test(self): self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources) - if __name__ == "__main__": unittest.main() diff --git a/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf b/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf new file mode 100644 index 00000000000..21d1100b97d --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_AKSEncryptionAtHostEnabled/main.tf @@ -0,0 +1,113 @@ +resource "azurerm_kubernetes_cluster" "pass" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + + default_node_pool { + name = "default" + + enable_host_encryption = true + vm_size = "Standard_E4ads_v5" + os_disk_type = "Ephemeral" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + +} + +resource "azurerm_kubernetes_cluster_node_pool" "pass" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + enable_host_encryption = true + + tags = { + Environment = "Production" + } +} + + +resource "azurerm_kubernetes_cluster" "fail1" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + + tags = { + Environment = "Production" + } + + default_node_pool { + name = "default" + + enable_host_encryption = false + vm_size = "Standard_E4ads_v5" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + +} + +resource "azurerm_kubernetes_cluster_node_pool" "fail1" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + enable_host_encryption = false + + tags = { + Environment = "Production" + } +} + + +resource "azurerm_kubernetes_cluster" "fail2" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + + default_node_pool { + name = "default" + + vm_size = "Standard_E4ads_v5" + os_disk_type = "Ephemeral" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + +} + +resource "azurerm_kubernetes_cluster_node_pool" "fail2" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + + tags = { + Environment = "Production" + } +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf b/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf new file mode 100644 index 00000000000..e813035097a --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_AKSEphemeralOSDisks/main.tf @@ -0,0 +1,83 @@ +resource "azurerm_kubernetes_cluster" "pass" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + + default_node_pool { + name = "default" + + enable_host_encryption = true + vm_size = "Standard_E4ads_v5" + os_disk_type = "Ephemeral" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + +} + +resource "azurerm_kubernetes_cluster" "fail" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + + tags = { + Environment = "Production" + } + + default_node_pool { + name = "default" + + enable_host_encryption = true + vm_size = "Standard_E4ads_v5" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + +} + +resource "azurerm_kubernetes_cluster" "fail2" { + name = "internal" + kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id + vm_size = "Standard_DS2_v2" + node_count = 1 + os_disk_type = "Managed" + + tags = { + Environment = "Production" + } + + default_node_pool { + name = "default" + + enable_host_encryption = true + vm_size = "Standard_E4ads_v5" + os_disk_type = "Managed" + zones = [1, 2, 3] + only_critical_addons_enabled = true + + type = "VirtualMachineScaleSets" + vnet_subnet_id = var.subnet_id + enable_auto_scaling = true + max_count = 6 + min_count = 2 + orchestrator_version = local.kubernetes_version + } + + +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/example_AppServicePlanZoneRedundant/main.tf b/tests/terraform/checks/resource/azure/example_AppServicePlanZoneRedundant/main.tf new file mode 100644 index 00000000000..b04e48e0326 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_AppServicePlanZoneRedundant/main.tf @@ -0,0 +1,26 @@ +resource "azurerm_service_plan" "pass" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + os_type = "Linux" + sku_name = "P1v2" + zone_balancing_enabled = true +} + +resource "azurerm_service_plan" "fail1" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + os_type = "Linux" + sku_name = "P1v2" + zone_balancing_enabled = false +} + + +resource "azurerm_service_plan" "fail2" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + os_type = "Linux" + sku_name = "P1v2" +} diff --git a/tests/terraform/checks/resource/azure/example_AppServicePublicAccessDisabled/main.tf b/tests/terraform/checks/resource/azure/example_AppServicePublicAccessDisabled/main.tf new file mode 100644 index 00000000000..838f3b46fc8 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_AppServicePublicAccessDisabled/main.tf @@ -0,0 +1,53 @@ +# pass + +resource "azurerm_linux_web_app" "disabled" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + public_network_access_enabled = false +} + +resource "azurerm_windows_web_app" "disabled" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + public_network_access_enabled = false +} + +# fail + +resource "azurerm_linux_web_app" "default" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id +} + +resource "azurerm_windows_web_app" "default" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id +} + +resource "azurerm_linux_web_app" "enabled" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + public_network_access_enabled = true +} + +resource "azurerm_windows_web_app" "enabled" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + public_network_access_enabled = true +} diff --git a/tests/terraform/checks/resource/azure/example_AppServiceUsedAzureFiles/example_AzureServicebusHasCMK/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceUsedAzureFiles/example_AzureServicebusHasCMK/main.tf deleted file mode 100644 index 026198cd940..00000000000 --- a/tests/terraform/checks/resource/azure/example_AppServiceUsedAzureFiles/example_AzureServicebusHasCMK/main.tf +++ /dev/null @@ -1,44 +0,0 @@ -resource "azurerm_servicebus_namespace" "pass" { - name = "tfex-servicebus-namespace" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - sku = "Standard" - customer_managed_key { - identity_id = "12345" - key_vault_key_id = "yadaya" - infrastructure_encryption_enabled = true - } - tags = { - source = "terraform" - } -} - -resource "azurerm_servicebus_namespace" "fail" { - name = "tfex-servicebus-namespace" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - sku = "Standard" - customer_managed_key { - identity_id = "12345" - key_vault_key_id = "yadaya" - } - tags = { - source = "terraform" - } -} - - -resource "azurerm_servicebus_namespace" "fail2" { - name = "tfex-servicebus-namespace" - location = azurerm_resource_group.example.location - resource_group_name = azurerm_resource_group.example.name - sku = "Standard" - customer_managed_key { - identity_id = "12345" - key_vault_key_id = "yadaya" - infrastructure_encryption_enabled = false - } - tags = { - source = "terraform" - } -} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/example_EventHubNamespaceMinTLS12/main.tf b/tests/terraform/checks/resource/azure/example_EventHubNamespaceMinTLS12/main.tf new file mode 100644 index 00000000000..56c5e0fc471 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_EventHubNamespaceMinTLS12/main.tf @@ -0,0 +1,27 @@ +resource "azurerm_eventhub_namespace" "pass" { + name = "example-namespace" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + sku = "Standard" + capacity = 2 + minimum_tls_version = 1.2 + + tags = { + environment = "Production" + } +} + +resource "azurerm_eventhub_namespace" "pass2" { + name = "eventhub-primary" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + sku = "Standard" +} + +resource "azurerm_eventhub_namespace" "fail" { + name = "eventhub-primary" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + sku = "Standard" + minimum_tls_version = "1.1" +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/example_FunctionAppPublicAccessDisabled/main.tf b/tests/terraform/checks/resource/azure/example_FunctionAppPublicAccessDisabled/main.tf new file mode 100644 index 00000000000..a98ec425092 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_FunctionAppPublicAccessDisabled/main.tf @@ -0,0 +1,109 @@ +# pass + +resource "azurerm_linux_function_app" "disabled" { + name = "example-linux-function-app" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id + + public_network_access_enabled = false +} + +resource "azurerm_linux_function_app_slot" "disabled" { + name = "example-linux-function-app-slot" + function_app_id = azurerm_linux_function_app.example.id + storage_account_name = azurerm_storage_account.example.name + + public_network_access_enabled = false +} + +resource "azurerm_windows_function_app" "disabled" { + name = "example-windows-function-app" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id + + public_network_access_enabled = false +} + +resource "azurerm_windows_function_app_slot" "disabled" { + name = "example-slot" + function_app_id = azurerm_windows_function_app.example.id + storage_account_name = azurerm_storage_account.example.name + + public_network_access_enabled = false +} + +# fail + +resource "azurerm_linux_function_app" "default" { + name = "example-linux-function-app" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id +} + +resource "azurerm_linux_function_app_slot" "default" { + name = "example-linux-function-app-slot" + function_app_id = azurerm_linux_function_app.example.id + storage_account_name = azurerm_storage_account.example.name +} + +resource "azurerm_windows_function_app" "default" { + name = "example-windows-function-app" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id +} + +resource "azurerm_windows_function_app_slot" "default" { + name = "example-slot" + function_app_id = azurerm_windows_function_app.example.id + storage_account_name = azurerm_storage_account.example.name +} + +resource "azurerm_linux_function_app" "enabled" { + name = "example-linux-function-app" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id + + public_network_access_enabled = true +} + +resource "azurerm_linux_function_app_slot" "enabled" { + name = "example-linux-function-app-slot" + function_app_id = azurerm_linux_function_app.example.id + storage_account_name = azurerm_storage_account.example.name + + public_network_access_enabled = true +} + +resource "azurerm_windows_function_app" "enabled" { + name = "example-windows-function-app" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + service_plan_id = azurerm_service_plan.example.id + + public_network_access_enabled = true +} + +resource "azurerm_windows_function_app_slot" "enabled" { + name = "example-slot" + function_app_id = azurerm_windows_function_app.example.id + storage_account_name = azurerm_storage_account.example.name + + public_network_access_enabled = true +} diff --git a/tests/terraform/checks/resource/azure/example_SQLDatabaseLedgerEnabled/main.tf b/tests/terraform/checks/resource/azure/example_SQLDatabaseLedgerEnabled/main.tf new file mode 100644 index 00000000000..937fcafbe22 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_SQLDatabaseLedgerEnabled/main.tf @@ -0,0 +1,44 @@ +resource "azurerm_mssql_database" "pass" { + name = "example-database" + server_id = azurerm_mssql_server.example.id + collation = "SQL_Latin1_General_CP1_CI_AS" + license_type = "LicenseIncluded" + max_size_gb = 4 + read_scale = true + sku_name = "S0" + ledger_enabled = true + + tags = { + environment = "Production" + } +} + +resource "azurerm_mssql_database" "fail2" { + name = "example-database" + server_id = azurerm_mssql_server.example.id + collation = "SQL_Latin1_General_CP1_CI_AS" + license_type = "LicenseIncluded" + max_size_gb = 4 + read_scale = true + sku_name = "S0" + ledger_enabled = false + + tags = { + environment = "Production" + } +} + +resource "azurerm_mssql_database" "fail" { + name = "example-database" + server_id = azurerm_mssql_server.example.id + collation = "SQL_Latin1_General_CP1_CI_AS" + license_type = "LicenseIncluded" + max_size_gb = 4 + read_scale = true + sku_name = "S0" + + tags = { + environment = "Production" + } + +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/test_AKSEncryptionAtHostEnabled.py b/tests/terraform/checks/resource/azure/test_AKSEncryptionAtHostEnabled.py new file mode 100644 index 00000000000..479e1aaaeeb --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AKSEncryptionAtHostEnabled.py @@ -0,0 +1,45 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.azure.AKSEncryptionAtHostEnabled import check + + +class AKSEncryptionAtHostEnabled(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_AKSEncryptionAtHostEnabled") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'azurerm_kubernetes_cluster.pass', + 'azurerm_kubernetes_cluster_node_pool.pass' + } + failing_resources = { + 'azurerm_kubernetes_cluster.fail1', + 'azurerm_kubernetes_cluster.fail2', + 'azurerm_kubernetes_cluster_node_pool.fail1', + 'azurerm_kubernetes_cluster_node_pool.fail2', + } + skipped_resources = {} + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_AKSEphemeralOSDisks.py b/tests/terraform/checks/resource/azure/test_AKSEphemeralOSDisks.py new file mode 100644 index 00000000000..68c96026b2e --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AKSEphemeralOSDisks.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.azure.AKSEphemeralOSDisks import check + + +class AKSEphemeralOSDisks(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_AKSEphemeralOSDisks") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'azurerm_kubernetes_cluster.pass', + } + failing_resources = { + 'azurerm_kubernetes_cluster.fail', + 'azurerm_kubernetes_cluster.fail2', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_AppServicePlanZoneRedundant.py b/tests/terraform/checks/resource/azure/test_AppServicePlanZoneRedundant.py new file mode 100644 index 00000000000..11641205278 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AppServicePlanZoneRedundant.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.azure.AppServicePlanZoneRedundant import check + + +class AppServicePlanZoneRedundant(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_AppServicePlanZoneRedundant") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'azurerm_service_plan.pass', + } + failing_resources = { + 'azurerm_service_plan.fail1', + 'azurerm_service_plan.fail2', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_AppServicePublicAccessDisabled.py b/tests/terraform/checks/resource/azure/test_AppServicePublicAccessDisabled.py new file mode 100644 index 00000000000..4e125fa7204 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AppServicePublicAccessDisabled.py @@ -0,0 +1,45 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.azure.AppServicePublicAccessDisabled import check +from checkov.terraform.runner import Runner + + +class TestAppServicePublicAccessDisabled(unittest.TestCase): + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_AppServicePublicAccessDisabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "azurerm_linux_web_app.disabled", + "azurerm_windows_web_app.disabled", + } + + failing_resources = { + "azurerm_linux_web_app.default", + "azurerm_windows_web_app.default", + "azurerm_linux_web_app.enabled", + "azurerm_windows_web_app.enabled", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_EventHubNamespaceMinTLS12.py b/tests/terraform/checks/resource/azure/test_EventHubNamespaceMinTLS12.py new file mode 100644 index 00000000000..39b2b289c3f --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_EventHubNamespaceMinTLS12.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.azure.EventHubNamespaceMinTLS12 import check + + +class TestEventHubNamespaceMinTLS12(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_EventHubNamespaceMinTLS12") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'azurerm_eventhub_namespace.pass', + 'azurerm_eventhub_namespace.pass2' + } + failing_resources = { + 'azurerm_eventhub_namespace.fail', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/test_FunctionAppPublicAccessDisabled.py b/tests/terraform/checks/resource/azure/test_FunctionAppPublicAccessDisabled.py new file mode 100644 index 00000000000..e8b01ace039 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_FunctionAppPublicAccessDisabled.py @@ -0,0 +1,51 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.azure.FunctionAppPublicAccessDisabled import check +from checkov.terraform.runner import Runner + + +class TestFunctionAppPublicAccessDisabled(unittest.TestCase): + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_FunctionAppPublicAccessDisabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "azurerm_linux_function_app.disabled", + "azurerm_linux_function_app_slot.disabled", + "azurerm_windows_function_app.disabled", + "azurerm_windows_function_app_slot.disabled", + } + + failing_resources = { + "azurerm_linux_function_app.default", + "azurerm_linux_function_app_slot.default", + "azurerm_windows_function_app.default", + "azurerm_windows_function_app_slot.default", + "azurerm_linux_function_app.enabled", + "azurerm_linux_function_app_slot.enabled", + "azurerm_windows_function_app.enabled", + "azurerm_windows_function_app_slot.enabled", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_SQLDatabaseLedgerEnabled.py b/tests/terraform/checks/resource/azure/test_SQLDatabaseLedgerEnabled.py new file mode 100644 index 00000000000..bd8f19f9f5b --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_SQLDatabaseLedgerEnabled.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.azure.SQLDatabaseLedgerEnabled import check + + +class SQLDatabaseLedgerEnabled(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_SQLDatabaseLedgerEnabled") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'azurerm_mssql_database.pass', + } + failing_resources = { + 'azurerm_mssql_database.fail', + 'azurerm_mssql_database.fail2', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/terraform/checks/resource/gcp/example_GoogleCloudSqlDatabasePubliclyAccessible/main.tf b/tests/terraform/checks/resource/gcp/example_GoogleCloudSqlDatabasePubliclyAccessible/main.tf index 3e4d2ec82b5..72e0d831109 100644 --- a/tests/terraform/checks/resource/gcp/example_GoogleCloudSqlDatabasePubliclyAccessible/main.tf +++ b/tests/terraform/checks/resource/gcp/example_GoogleCloudSqlDatabasePubliclyAccessible/main.tf @@ -59,22 +59,22 @@ resource "google_sql_database_instance" "instance4-fail" { ip_configuration { dynamic "authorized_networks" { - for_each = google_compute_instance.apps - iterator = apps + for_each = local.onprem + iterator = onprem content { - name = apps.value.name - value = apps.value.network_interface.0.access_config.0.nat_ip + name = "onprem-${onprem.key}" + value = "0.0.0.0/0" } } dynamic "authorized_networks" { - for_each = local.onprem - iterator = onprem + for_each = google_compute_instance.apps + iterator = apps content { - name = "onprem-${onprem.key}" - value = "0.0.0.0/0" + name = apps.value.name + value = apps.value.network_interface.0.access_config.0.nat_ip } } } diff --git a/tests/terraform/checks/resource/gcp/example_GoogleKMSRotationPeriod/main.tf b/tests/terraform/checks/resource/gcp/example_GoogleKMSRotationPeriod/main.tf index e66a35c6ae8..792b889a71e 100644 --- a/tests/terraform/checks/resource/gcp/example_GoogleKMSRotationPeriod/main.tf +++ b/tests/terraform/checks/resource/gcp/example_GoogleKMSRotationPeriod/main.tf @@ -32,3 +32,9 @@ resource "google_kms_crypto_key" "asymmetric" { key_ring = "google_kms_key_ring.keyring.id" purpose = "ASYMMETRIC_SIGN" } + +resource "google_kms_crypto_key" "fail" { + name = "crypto-key-example" + key_ring = "google_kms_key_ring.keyring.id" + rotation_period = 90 +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/gcp/test_GoogleKMSKeyRotationPeriod.py b/tests/terraform/checks/resource/gcp/test_GoogleKMSKeyRotationPeriod.py index 6947865e107..8f0995df699 100644 --- a/tests/terraform/checks/resource/gcp/test_GoogleKMSKeyRotationPeriod.py +++ b/tests/terraform/checks/resource/gcp/test_GoogleKMSKeyRotationPeriod.py @@ -25,16 +25,17 @@ def test(self): failing_resources = { "google_kms_crypto_key.default", "google_kms_crypto_key.half_year", + "google_kms_crypto_key.fail", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2) - self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) - self.assertEqual(summary["resource_count"], 5) # 1 unknown + self.assertEqual(summary["resource_count"], 6) # 1 unknown self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources) diff --git a/tests/terraform/checks/resource/test_base_resource_dynamic_value_check.py b/tests/terraform/checks/resource/test_base_resource_dynamic_value_check.py index 1b976bd3cd9..e08aaff8d2f 100644 --- a/tests/terraform/checks/resource/test_base_resource_dynamic_value_check.py +++ b/tests/terraform/checks/resource/test_base_resource_dynamic_value_check.py @@ -135,3 +135,5 @@ def tearDown(self) -> None: super().tearDown() resource_registry.checks = self.check_list_before self.check_list_before = None + + diff --git a/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/expected.yaml b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/expected.yaml new file mode 100644 index 00000000000..c45079ef130 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/expected.yaml @@ -0,0 +1,5 @@ +pass: + - "aws_mwaa_environment.pud_mwaa_env_pass" + - "aws_mwaa_environment.pud_mwaa_env_pass_1" +fail: + - "aws_mwaa_environment.pud_mwaa_env_fail" diff --git a/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/main.tf b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/main.tf new file mode 100644 index 00000000000..5dc0f36a6ba --- /dev/null +++ b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/main.tf @@ -0,0 +1,104 @@ +# PASS 1: webserver_access_mode = PRIVATE_ONLY + +resource "aws_iam_role" "pud_pass_role" { + name = "pud_pass_role" + assume_role_policy = jsonencode({ + Version = "2023-09-27" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + }) + + tags = { + tag-key = "pud_checkov_pass" + } +} + +resource "aws_s3_bucket" "pud_pass_bucket" { + bucket = "pud_pass_bucket" +} + +resource "aws_mwaa_environment" "pud_mwaa_env_pass" { + dag_s3_path = "dags/" + execution_role_arn = aws_iam_role.pud_pass_role.arn + name = "pud_mwaa_env_pass" + webserver_access_mode = "PRIVATE_ONLY" + source_bucket_arn = aws_s3_bucket.pud_pass_bucket.arn +} + +# PASS 2: webserver_access_mode Not mentioned. DEFAULT = PRIVATE_ONLY + +resource "aws_iam_role" "pud_pass_role_1" { + name = "pud_pass_role_1" + assume_role_policy = jsonencode({ + Version = "2023-09-27" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + }) + + tags = { + tag-key = "pud_checkov_pass_1" + } +} + +resource "aws_s3_bucket" "pud_pass_bucket_1" { + bucket = "pud_pass_bucket_1" +} + +resource "aws_mwaa_environment" "pud_mwaa_env_pass_1" { + dag_s3_path = "dags/" + execution_role_arn = aws_iam_role.pud_pass_role.arn + name = "pud_mwaa_env_pass_1" + source_bucket_arn = aws_s3_bucket.pud_pass_bucket.arn +} + +# FAIL: webserver_access_mode = PUBLIC_ONLY + +resource "aws_iam_role" "pud_fail_role" { + name = "pud_fail_role" + assume_role_policy = jsonencode({ + Version = "2023-09-27" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + }) + + tags = { + tag-key = "pud_checkov_fail" + } +} + +resource "aws_s3_bucket" "pud_fail_bucket" { + bucket = "pud_fail_bucket" +} + +resource "aws_mwaa_environment" "pud_mwaa_env_fail" { + dag_s3_path = "dags/" + execution_role_arn = aws_iam_role.pud_fail_role.arn + name = "pud_mwaa_env_fail" + webserver_access_mode = "PUBLIC_ONLY" + source_bucket_arn = aws_s3_bucket.pud_fail_bucket.arn +} + diff --git a/tests/terraform/graph/checks/resources/AWSdisableS3ACL/expected.yaml b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/expected.yaml new file mode 100644 index 00000000000..e6f9c9b79f1 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/expected.yaml @@ -0,0 +1,4 @@ +fail: + - "aws_s3_bucket_ownership_controls.pud_bucket_fail" +pass: + - "aws_s3_bucket_ownership_controls.pud_bucket_pass" diff --git a/tests/terraform/graph/checks/resources/AWSdisableS3ACL/main.tf b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/main.tf new file mode 100644 index 00000000000..996219a72c1 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/main.tf @@ -0,0 +1,27 @@ +# FAIL + +resource "aws_s3_bucket" "pud_bucket_fail" { + bucket = "pud_bucket_fail" +} + +resource "aws_s3_bucket_ownership_controls" "pud_bucket_fail" { + bucket = aws_s3_bucket.pud_bucket_fail.id + + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +# PASS + +resource "aws_s3_bucket" "pud_bucket_pass" { + bucket = "pud_bucket_pass" +} + +resource "aws_s3_bucket_ownership_controls" "pud_bucket_pass" { + bucket = aws_s3_bucket.pud_bucket_pass.id + + rule { + object_ownership = "BucketOwnerEnforced" + } +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py index cce9692eb9e..8fe4795d3bc 100644 --- a/tests/terraform/graph/checks/test_yaml_policies.py +++ b/tests/terraform/graph/checks/test_yaml_policies.py @@ -412,6 +412,12 @@ def test_AzureMariaDBserverUsingTLS_1_2(self): def test_AzureStorageAccountEnableSoftDelete(self): self.go("AzureStorageAccountEnableSoftDelete") + def test_AWSdisableS3ACL(self): + self.go("AWSdisableS3ACL") + + def test_AWS_private_MWAA_environment(self): + self.go("AWS_private_MWAA_environment") + def test_registry_load(self): registry = Registry(parser=GraphCheckParser(), checks_dir=str( Path(__file__).parent.parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks")) diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/contains_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/contains_solver/test_solver.py index 1cbd63e63d6..52505e93257 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/contains_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/contains_solver/test_solver.py @@ -1,15 +1,13 @@ import os from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestContainsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/ending_with_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/ending_with_solver/test_solver.py index a2fa5511b73..e32d5fd8857 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/ending_with_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/ending_with_solver/test_solver.py @@ -1,14 +1,12 @@ import os from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestEndingWithSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/test_solver.py index 40d5b7271d5..b3646ccf01e 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/equals_ignore_case_solver/test_solver.py @@ -1,14 +1,12 @@ import os from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestEqualsIgnoreCaseSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/equals_solver/test_solver.py index 28aa9b53eb9..ac488ac99cc 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/equals_solver/test_solver.py @@ -1,14 +1,12 @@ import os from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestEqualsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/exists_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/exists_solver/test_solver.py index 73211b87e93..8f8205e5873 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/exists_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/exists_solver/test_solver.py @@ -1,14 +1,12 @@ import os from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class ExistsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/greater_than_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/greater_than_solver/test_solver.py index c30400303ef..74b7d3979c7 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/greater_than_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/greater_than_solver/test_solver.py @@ -7,15 +7,13 @@ from checkov.common.checks_infra.solvers.attribute_solvers.less_than_attribute_solver import LessThanAttributeSolver from checkov.common.checks_infra.solvers.attribute_solvers.less_than_or_equal_attribute_solver import \ LessThanOrEqualAttributeSolver +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver from parameterized import parameterized_class TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestGreaterThanLessThanSolvers(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/intersects_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/intersects_solver/test_solver.py index 6323ad5e808..81f3c430904 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/intersects_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/intersects_solver/test_solver.py @@ -1,15 +1,13 @@ import os from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestIntersectsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/is_empty_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/is_empty_solver/test_solver.py index 05066ebec8c..5bd60c98b55 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/is_empty_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/is_empty_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestIsEmptySolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/is_false_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/is_false_solver/test_solver.py index f7c85ccba0c..9b515f00e46 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/is_false_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/is_false_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestIsFalse(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/is_not_empty_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/is_not_empty_solver/test_solver.py index 3b7acf466c5..d39b0357719 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/is_not_empty_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/is_not_empty_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestIsNotEmptySolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/is_true_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/is_true_solver/test_solver.py index 744fe3b37ed..1ce845723e7 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/is_true_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/is_true_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestIsTrue(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py index 98a063674f7..b3e0f4ce2e0 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py @@ -1,15 +1,13 @@ import os from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestJsonpathEqualsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/test_solver.py index 9b2e2148409..74441f19839 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_exists_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestJsonpathExistsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_not_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_not_equals_solver/test_solver.py index c205341778b..dbbe8c0e752 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_not_equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_not_equals_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestJsonpathNotEqualsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_not_exists_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_not_exists_solver/test_solver.py index 3b83992ba05..4394cab9e4b 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_not_exists_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_not_exists_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestJsonpathNotExistsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/length_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/length_equals_solver/test_solver.py index 8376d5f42e5..f0f82ac6a2e 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/length_equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/length_equals_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestLengthEquals(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/length_greater_than_or_equal_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/length_greater_than_or_equal_solver/test_solver.py index 4e5c2975a6d..54c07cf2472 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/length_greater_than_or_equal_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/length_greater_than_or_equal_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestLengthGreaterThanOrEqual(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/length_greater_than_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/length_greater_than_solver/test_solver.py index 627ffe89f9e..4c7d49e99f9 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/length_greater_than_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/length_greater_than_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestLengthGreaterThan(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/length_less_than_or_equal_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/length_less_than_or_equal_solver/test_solver.py index dbac232169e..d00cdff6179 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/length_less_than_or_equal_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/length_less_than_or_equal_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestLengthLessThanOrEqual(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/length_less_than_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/length_less_than_solver/test_solver.py index 484ebf811f3..50616a7e0f0 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/length_less_than_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/length_less_than_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestLengthLessThan(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/length_not_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/length_not_equals_solver/test_solver.py index 5fe4a1971a4..868ec9bd834 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/length_not_equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/length_not_equals_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestLengthNotEquals(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_contains_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_contains_solver/test_solver.py index 3fa9383ab97..bd109ee278d 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_contains_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_contains_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotContainsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_ending_with_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_ending_with_solver/test_solver.py index c138a210386..10e4506d8f1 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_ending_with_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_ending_with_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotEndingWithSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/test_solver.py index 0002e4ab75b..00ac6f06846 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_equals_ignore_case_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotEqualsIgnoreCaseSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_equals_solver/test_solver.py index 4dcd2127d5e..afbf2184b91 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_equals_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotEqualsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_exists_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_exists_solver/test_solver.py index d14ca68b98b..c24420335c5 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_exists_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_exists_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotExistsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_intersects_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_intersects_solver/test_solver.py index 39a30280603..b1b48abded0 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_intersects_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_intersects_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotIntersectsSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_regex_match_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_regex_match_solver/test_solver.py index 7220867063c..9633ee565d7 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_regex_match_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_regex_match_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestRegexMatchSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_starting_with_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_starting_with_solver/test_solver.py index 8e0c5caca15..e10a617d0cf 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_starting_with_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_starting_with_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotStartingWithSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_subset_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_subset_solver/test_solver.py index 9e0421ef0b5..6ecbedee24c 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_subset_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_subset_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotSubsetSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/not_within_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/not_within_solver/test_solver.py index 3c36f430f17..ad689b0f3af 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/not_within_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/not_within_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotWithinSolver(TestBaseSolver): def setUp(self) -> None: self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_equals_solver/test_solver.py index 37825ddc404..0ff6e8ed921 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_equals_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNumberOfNotWordsEquals(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_or_equal_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_or_equal_solver/test_solver.py index 6cc434370a6..76413e20052 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_or_equal_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_or_equal_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNumberOfWordsGreaterThanOrEqual(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_solver/test_solver.py index f92c00536d6..f6bc54f0057 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_greater_than_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNumberOfWordsGreaterThan(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_or_equal_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_or_equal_solver/test_solver.py index 69411780179..66571349cb6 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_or_equal_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_or_equal_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNumberOfWordsLessThanOrEqual(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_solver/test_solver.py index a586e04ee2a..0150b37aa9f 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_less_than_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNumberOfWordsLessThan(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_not_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_not_equals_solver/test_solver.py index 825818e6749..6027df25367 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_not_equals_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/number_of_words_not_equals_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNumberOfWordsEquals(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py index ce3953dbe5a..f3956bc5bf5 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestRangeIncludesSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py index f5a2bcf0cf3..fef72aa1da7 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestRangeNotIncludesSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/regex_match_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/regex_match_solver/test_solver.py index c5187a452bb..a436485c6b9 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/regex_match_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/regex_match_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestRegexMatchSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/starting_with_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/starting_with_solver/test_solver.py index 461cc740c6e..c23bbee557b 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/starting_with_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/starting_with_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestStartingWithSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/subset_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/subset_solver/test_solver.py index 64fced43e83..dfe65a7b66e 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/subset_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/subset_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestSubsetSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/within_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/within_solver/test_solver.py index 33a476c5bdf..c71c4585f30 100644 --- a/tests/terraform/graph/checks_infra/attribute_solvers/within_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/attribute_solvers/within_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestWithinSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/complex_solvers/and_solver/test_solver.py b/tests/terraform/graph/checks_infra/complex_solvers/and_solver/test_solver.py index a37e3e20ff8..08891da9f8c 100644 --- a/tests/terraform/graph/checks_infra/complex_solvers/and_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/complex_solvers/and_solver/test_solver.py @@ -1,14 +1,12 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver import os TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestAndQuery(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/complex_solvers/not_solver/test_solver.py b/tests/terraform/graph/checks_infra/complex_solvers/not_solver/test_solver.py index fda2aac5be2..5dad74f9ca8 100644 --- a/tests/terraform/graph/checks_infra/complex_solvers/not_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/complex_solvers/not_solver/test_solver.py @@ -1,14 +1,12 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver import os TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestNotQuery(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/complex_solvers/or_solver/test_solver.py b/tests/terraform/graph/checks_infra/complex_solvers/or_solver/test_solver.py index 2ecdef96f1c..6657c4d0b85 100644 --- a/tests/terraform/graph/checks_infra/complex_solvers/or_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/complex_solvers/or_solver/test_solver.py @@ -1,14 +1,12 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver import os TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestOrQuery(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/connection_solvers/and_connection_solver/test_solver.py b/tests/terraform/graph/checks_infra/connection_solvers/and_connection_solver/test_solver.py index efe1e7daab2..0562371e417 100644 --- a/tests/terraform/graph/checks_infra/connection_solvers/and_connection_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/connection_solvers/and_connection_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class ConnectionSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/connection_solvers/connection_exist_solver/test_solver.py b/tests/terraform/graph/checks_infra/connection_solvers/connection_exist_solver/test_solver.py index 60a7c23c2fc..b9ae241f8c4 100644 --- a/tests/terraform/graph/checks_infra/connection_solvers/connection_exist_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/connection_solvers/connection_exist_solver/test_solver.py @@ -4,15 +4,13 @@ from parameterized import parameterized_class from checkov.runner_filter import RunnerFilter +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class ConnectionSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME @@ -63,9 +61,17 @@ def test_reduce_graph_by_target_types(self): assert len(reduced_graph.nodes) <= 85 assert len(reduced_graph.edges) <= 20 + #TODO delete IGRAPH elif self.graph_framework == 'IGRAPH': assert len(graph_connector.vs) >= 661 assert len(graph_connector.es) >= 327 assert len(reduced_graph.vs) <= 85 - assert len(reduced_graph.es) <= 20 \ No newline at end of file + assert len(reduced_graph.es) <= 20 + + elif self.graph_framework == 'RUSTWORKX': + assert len(graph_connector.nodes()) >= 661 + assert len(graph_connector.edges()) >= 327 + + assert len(reduced_graph.nodes()) <= 85 + assert len(reduced_graph.edges()) <= 20 \ No newline at end of file diff --git a/tests/terraform/graph/checks_infra/connection_solvers/connection_not_exist_solver/test_solver.py b/tests/terraform/graph/checks_infra/connection_solvers/connection_not_exist_solver/test_solver.py index 8664600a235..c798542a370 100644 --- a/tests/terraform/graph/checks_infra/connection_solvers/connection_not_exist_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/connection_solvers/connection_not_exist_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class ConnectionSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/connection_solvers/connection_one_exists/test_solver.py b/tests/terraform/graph/checks_infra/connection_solvers/connection_one_exists/test_solver.py index ed1c97ee919..e08caa2a19d 100644 --- a/tests/terraform/graph/checks_infra/connection_solvers/connection_one_exists/test_solver.py +++ b/tests/terraform/graph/checks_infra/connection_solvers/connection_one_exists/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class ConnectionSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/connection_solvers/or_connection_solver/test_solver.py b/tests/terraform/graph/checks_infra/connection_solvers/or_connection_solver/test_solver.py index 0de8bc8a70b..416079f25e3 100644 --- a/tests/terraform/graph/checks_infra/connection_solvers/or_connection_solver/test_solver.py +++ b/tests/terraform/graph/checks_infra/connection_solvers/or_connection_solver/test_solver.py @@ -2,15 +2,13 @@ from parameterized import parameterized_class +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS from tests.terraform.graph.checks_infra.test_base import TestBaseSolver TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class ConnectionSolver(TestBaseSolver): def setUp(self): self.checks_dir = TEST_DIRNAME diff --git a/tests/terraform/graph/checks_infra/test_base.py b/tests/terraform/graph/checks_infra/test_base.py index 6f474232424..e9ac7dce777 100644 --- a/tests/terraform/graph/checks_infra/test_base.py +++ b/tests/terraform/graph/checks_infra/test_base.py @@ -2,19 +2,23 @@ from unittest import TestCase from unittest import mock +from parameterized import parameterized_class + from checkov.common.checks_infra.checks_parser import GraphCheckParser from checkov.common.checks_infra.registry import Registry from checkov.terraform.runner import Runner from checkov.runner_filter import RunnerFilter from checkov.common.checks_infra.solvers.attribute_solvers.base_attribute_solver import BaseAttributeSolver +from tests.graph_utils.utils import PARAMETERIZED_GRAPH_FRAMEWORKS +@parameterized_class( + PARAMETERIZED_GRAPH_FRAMEWORKS +) class TestBaseSolver(TestCase): checks_dir = "" def setUp(self): - if not hasattr(self, 'graph_framework'): - self.graph_framework = "NETWORKX" with mock.patch.dict(os.environ, {"CHECKOV_GRAPH_FRAMEWORK": self.graph_framework}): self.source = "Terraform" self.registry = Registry(parser=GraphCheckParser(), checks_dir=self.checks_dir) diff --git a/tests/terraform/graph/db_connector/test_graph_connector.py b/tests/terraform/graph/db_connector/test_graph_connector.py index c0732e39928..c3391fda6f1 100644 --- a/tests/terraform/graph/db_connector/test_graph_connector.py +++ b/tests/terraform/graph/db_connector/test_graph_connector.py @@ -3,6 +3,7 @@ from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector +from checkov.common.graph.db_connectors.rustworkx.rustworkx_db_connector import RustworkxConnector from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph from checkov.terraform.tf_parser import TFParser @@ -27,3 +28,12 @@ def test_creating_igraph_graph(self): local_graph._create_vertices() igc = IgraphConnector() igc.save_graph(local_graph) + + def test_creating_rustworkx_graph(self): + resources_dir = os.path.realpath(os.path.join(TEST_DIRNAME, '../resources/encryption')) + hcl_config_parser = TFParser() + module, _ = hcl_config_parser.parse_hcl_module(resources_dir, 'AWS') + local_graph = TerraformLocalGraph(module) + local_graph._create_vertices() + igc = RustworkxConnector() + igc.save_graph(local_graph) diff --git a/tests/terraform/graph/graph_builder/test_graph_builder.py b/tests/terraform/graph/graph_builder/test_graph_builder.py index 61ccb068ebc..f5dd975d485 100644 --- a/tests/terraform/graph/graph_builder/test_graph_builder.py +++ b/tests/terraform/graph/graph_builder/test_graph_builder.py @@ -3,6 +3,7 @@ from unittest import TestCase, mock from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from checkov.common.graph.db_connectors.rustworkx.rustworkx_db_connector import RustworkxConnector from checkov.terraform.graph_builder.graph_components.block_types import BlockType from checkov.terraform.graph_builder.graph_to_tf_definitions import convert_graph_vertices_to_tf_definitions from checkov.terraform.graph_manager import TerraformGraphManager @@ -334,6 +335,44 @@ def test_build_graph_for_each_with_variables_and_dynamic_not_crash(self): # Shouldn't throw exception graph_manager.build_graph_from_source_directory(resources_dir) + def test_build_rustworkx_graph(self): + resources_dir = os.path.join(TEST_DIRNAME, '../resources/general_example') + + graph_manager = TerraformGraphManager(db_connector=RustworkxConnector()) + graph, tf_definitions = graph_manager.build_graph_from_source_directory(resources_dir) + + expected_num_of_var_nodes = 3 + expected_num_of_locals_nodes = 1 + expected_num_of_resources_nodes = 1 + expected_num_of_provider_nodes = 1 + vertices_by_block_type = graph.vertices_by_block_type + self.assertEqual(expected_num_of_var_nodes, len(vertices_by_block_type[BlockType.VARIABLE])) + self.assertEqual(expected_num_of_locals_nodes, len(vertices_by_block_type[BlockType.LOCALS])) + self.assertEqual(expected_num_of_resources_nodes, len(vertices_by_block_type[BlockType.RESOURCE])) + self.assertEqual(expected_num_of_provider_nodes, len(vertices_by_block_type[BlockType.PROVIDER])) + + provider_node = graph.vertices[vertices_by_block_type[BlockType.PROVIDER][0]] + resource_node = graph.vertices[vertices_by_block_type[BlockType.RESOURCE][0]] + local_node = graph.vertices[graph.vertices_block_name_map[BlockType.LOCALS]["bucket_name"][0]] + + var_bucket_name_node = None + var_region_node = None + var_aws_profile_node = None + for index in vertices_by_block_type[BlockType.VARIABLE]: + var_node = graph.vertices[index] + if var_node.name == 'aws_profile': + var_aws_profile_node = var_node + if var_node.name == 'bucket_name': + var_bucket_name_node = var_node + if var_node.name == 'region': + var_region_node = var_node + + self.check_edge(graph, resource_node, local_node, 'bucket') + self.check_edge(graph, resource_node, provider_node, 'provider') + self.check_edge(graph, resource_node, var_region_node, 'region') + self.check_edge(graph, provider_node, var_aws_profile_node, 'profile') + self.check_edge(graph, local_node, var_bucket_name_node, 'bucket_name') + def build_new_key_for_tf_definition(key): key = key.tf_source_modules diff --git a/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json b/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json new file mode 100644 index 00000000000..e8735ca7d20 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json @@ -0,0 +1,1255 @@ +{ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"tf_source_modules\": null}": { + "module": [ + { + "s3_module[\"a\"]": { + "__end_line__": 12, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}" + ], + "__start_line__": 7, + "bucket": [ + false + ], + "bucket2": [ + "" + ], + "source": [ + "./module" + ], + "__address__": "s3_module[\"a\"]" + } + }, + { + "s3_module2[0]": { + "__end_line__": 19, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}" + ], + "__start_line__": 14, + "bucket": [ + "" + ], + "bucket2": [ + true + ], + "source": [ + "./module" + ], + "__address__": "s3_module2[0]" + } + }, + { + "s3_module[\"b\"]": { + "__end_line__": 12, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}" + ], + "__start_line__": 7, + "bucket": [ + false + ], + "bucket2": [ + "" + ], + "source": [ + "./module" + ], + "__address__": "s3_module[\"b\"]" + } + }, + { + "s3_module2[1]": { + "__end_line__": 19, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}" + ], + "__start_line__": 14, + "bucket": [ + "" + ], + "bucket2": [ + true + ], + "source": [ + "./module" + ], + "__address__": "s3_module2[1]" + } + } + ], + "provider": [ + { + "aws": { + "__end_line__": 5, + "__start_line__": 1, + "alias": [ + "test_provider" + ], + "region": [ + "us-west-2" + ], + "test_provider": [ + true + ], + "__address__": "aws.test_provider" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}": { + "module": [ + { + "inner_s3_module[\"c\"]": { + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "var.bucket" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"a\"].inner_s3_module[\"c\"]" + } + }, + { + "inner_s3_module2[\"e\"]": { + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "var.bucket2" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"e\"]" + } + }, + { + "inner_s3_module[\"d\"]": { + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "var.bucket" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"a\"].inner_s3_module[\"d\"]" + } + }, + { + "inner_s3_module2[\"f\"]": { + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "var.bucket2" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"f\"]" + } + } + ], + "variable": [ + { + "bucket": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"a\"].bucket" + } + }, + { + "bucket2": { + "__end_line__": 20, + "__start_line__": 18, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"a\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}": { + "module": [ + { + "inner_s3_module[\"c\"]": { + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "var.bucket" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[0].inner_s3_module[\"c\"]" + } + }, + { + "inner_s3_module2[\"e\"]": { + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "var.bucket2" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[0].inner_s3_module2[\"e\"]" + } + }, + { + "inner_s3_module[\"d\"]": { + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "var.bucket" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[0].inner_s3_module[\"d\"]" + } + }, + { + "inner_s3_module2[\"f\"]": { + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "var.bucket2" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[0].inner_s3_module2[\"f\"]" + } + } + ], + "variable": [ + { + "bucket": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[0].bucket" + } + }, + { + "bucket2": { + "__end_line__": 20, + "__start_line__": 18, + "type": [ + "string" + ], + "__address__": "module.s3_module2[0].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/variable.tf\", \"tf_source_modules\": null}": { + "variable": [ + { + "count_var": { + "__end_line__": 4, + "__start_line__": 2, + "default": [ + 2 + ], + "__address__": "count_var" + } + }, + { + "foreach_var": { + "__end_line__": 8, + "__start_line__": 6, + "default": [ + [ + "a", + "b" + ] + ], + "__address__": "foreach_var" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": { + "module": [ + { + "inner_s3_module[\"c\"]": { + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "var.bucket" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"b\"].inner_s3_module[\"c\"]" + } + }, + { + "inner_s3_module2[\"e\"]": { + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "var.bucket2" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"e\"]" + } + }, + { + "inner_s3_module[\"d\"]": { + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "var.bucket" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"b\"].inner_s3_module[\"d\"]" + } + }, + { + "inner_s3_module2[\"f\"]": { + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "var.bucket2" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"f\"]" + } + } + ], + "variable": [ + { + "bucket": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"b\"].bucket" + } + }, + { + "bucket2": { + "__end_line__": 20, + "__start_line__": 18, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"b\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": { + "module": [ + { + "inner_s3_module[\"c\"]": { + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "var.bucket" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[1].inner_s3_module[\"c\"]" + } + }, + { + "inner_s3_module2[\"e\"]": { + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "var.bucket2" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[1].inner_s3_module2[\"e\"]" + } + }, + { + "inner_s3_module[\"d\"]": { + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "var.bucket" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[1].inner_s3_module[\"d\"]" + } + }, + { + "inner_s3_module2[\"f\"]": { + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "var.bucket2" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[1].inner_s3_module2[\"f\"]" + } + } + ], + "variable": [ + { + "bucket": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[1].bucket" + } + }, + { + "bucket2": { + "__end_line__": 20, + "__start_line__": 18, + "type": [ + "string" + ], + "__address__": "module.s3_module2[1].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2" + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { + "locals": [ + { + "bucket2": [ + "var.bucket2" + ], + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2" + } + ], + "resource": [ + { + "aws_s3_bucket_public_access_block": { + "var_bucket": { + "__end_line__": 11, + "__start_line__": 5, + "block_public_acls": [ + true + ], + "block_public_policy": [ + true + ], + "bucket": [ + "var.bucket2" + ], + "ignore_public_acls": [ + true + ], + "restrict_public_buckets": [ + true + ], + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket" + } + } + } + ], + "variable": [ + { + "bucket2": { + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ], + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/test_foreach_renderer.py b/tests/terraform/graph/variable_rendering/test_foreach_renderer.py index b3ce81ffa8c..3bdd01a9140 100644 --- a/tests/terraform/graph/variable_rendering/test_foreach_renderer.py +++ b/tests/terraform/graph/variable_rendering/test_foreach_renderer.py @@ -5,8 +5,10 @@ import pytest from checkov.common.util.json_utils import object_hook, CustomJSONEncoder +from checkov.terraform import TFModule from checkov.terraform.graph_builder.foreach.abstract_handler import ForeachAbstractHandler from checkov.terraform.graph_builder.foreach.builder import ForeachBuilder +from checkov.terraform.graph_builder.foreach.module_handler import ForeachModuleHandler from checkov.terraform.graph_builder.foreach.resource_handler import ForeachResourceHandler from checkov.terraform.graph_builder.graph_to_tf_definitions import convert_graph_vertices_to_tf_definitions @@ -304,18 +306,22 @@ def test_new_tf_parser_with_foreach_modules(checkov_source_path): @mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True"}) def test_tf_definitions_for_foreach_on_modules(checkov_source_path): - dir_name = 'parser_dup_nested' - local_graph, _ = build_and_get_graph_by_path(dir_name, render_var=True) - tf_definitions, _ = convert_graph_vertices_to_tf_definitions(vertices=local_graph.vertices, root_folder=dir_name) + dir_name_and_definitions_path = [ + ('parser_dup_nested', 'expected_foreach_modules_tf_definitions.json'), + ('foreach_module_dup_foreach', 'expected_foreach_module_dup_foreach.json') + ] + for dir_name, definitions_path in dir_name_and_definitions_path: + local_graph, _ = build_and_get_graph_by_path(dir_name, render_var=True) + tf_definitions, _ = convert_graph_vertices_to_tf_definitions(vertices=local_graph.vertices, root_folder=dir_name) - file_path = os.path.join(os.path.dirname(__file__), 'expected_foreach_modules_tf_definitions.json') - with open(file_path, 'r') as f: - expected_data = json.load(f, object_hook=object_hook) + file_path = os.path.join(os.path.dirname(__file__), definitions_path) + with open(file_path, 'r') as f: + expected_data = json.load(f, object_hook=object_hook) - tf_definitions_json = json.dumps(tf_definitions, cls=CustomJSONEncoder) - tf_definitions_json = tf_definitions_json.replace(checkov_source_path, '...') - tf_definitions_after_handling_checkov_source = json.loads(tf_definitions_json, object_hook=object_hook) - assert tf_definitions_after_handling_checkov_source == expected_data + tf_definitions_json = json.dumps(tf_definitions, cls=CustomJSONEncoder) + tf_definitions_json = tf_definitions_json.replace(checkov_source_path, '...') + tf_definitions_after_handling_checkov_source = json.loads(tf_definitions_json, object_hook=object_hook) + assert tf_definitions_after_handling_checkov_source == expected_data @mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True"}) @@ -335,10 +341,29 @@ def test_foreach_module_in_both_levels_module(checkov_source_path): graph, _ = build_and_get_graph_by_path(dir_name, render_var=True) tf_definitions, _ = convert_graph_vertices_to_tf_definitions(vertices=graph.vertices, root_folder=dir_name) - assert len([block for block in graph.vertices if block.block_type == 'module']) == 20 - assert len([block for block in graph.vertices if block.block_type == 'resource']) == 16 + resources = [block for block in graph.vertices if block.block_type == 'resource'] + locals = [block for block in graph.vertices if block.block_type == 'locals'] + vars = [block for block in graph.vertices if block.block_type == 'variable'] + modules = [block for block in graph.vertices if block.block_type == 'module'] + + assert len(modules) == 20 + assert len(resources) == 16 assert len(tf_definitions.keys()) == 22 + for resource in resources: + assert resource.source_module_object.foreach_idx is not None + + for local in locals: + assert local.source_module_object.foreach_idx is not None + + for var in vars: + if var.source_module_object: + assert var.source_module_object.foreach_idx is not None + + for module in modules: + if module.source_module_object: + assert module.source_module_object.foreach_idx is not None + @mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True"}) def test_foreach_module_and_resource(checkov_source_path): @@ -389,3 +414,29 @@ def test_foreach_with_lookup(): graph, _ = build_and_get_graph_by_path(dir_name, render_var=True) assert graph.vertices[0].attributes.get('uniform_bucket_level_access') == [True] assert graph.vertices[1].attributes.get('uniform_bucket_level_access') == [True] + + +def test__get_tf_module_with_no_foreach(): + module = TFModule(name='1', path='1', foreach_idx='1', + nested_tf_module=TFModule(name='2', path='2', foreach_idx='2', nested_tf_module=None)) + result = ForeachModuleHandler._get_tf_module_with_no_foreach(module) + assert result == TFModule(name='1', path='1', foreach_idx=None, + nested_tf_module=TFModule(name='2', path='2', foreach_idx=None, nested_tf_module=None)) + + +def test__get_module_with_only_relevant_foreach_idx(): + module = TFModule(name='1', path='1', foreach_idx='1', + nested_tf_module=TFModule(name='2', path='2', foreach_idx='2', + nested_tf_module=TFModule(name='3', path='3', foreach_idx='3', + nested_tf_module=None) + ) + ) + original_key = TFModule(name='2', path='2', foreach_idx='2', + nested_tf_module=TFModule(name='3', path='3', foreach_idx='3', nested_tf_module=None)) + result = ForeachModuleHandler._get_module_with_only_relevant_foreach_idx('test', original_key, module) + assert result == TFModule(name='1', path='1', foreach_idx='1', + nested_tf_module=TFModule(name='2', path='2', foreach_idx='test', + nested_tf_module=TFModule(name='3', path='3', foreach_idx='3', + nested_tf_module=None) + ) + ) diff --git a/tests/terraform/graph/variable_rendering/test_renderer.py b/tests/terraform/graph/variable_rendering/test_renderer.py index eafed68c3f7..3f52dc207b4 100644 --- a/tests/terraform/graph/variable_rendering/test_renderer.py +++ b/tests/terraform/graph/variable_rendering/test_renderer.py @@ -470,3 +470,18 @@ def test_provider_alias(self): provider_alias = next(vertex for vertex in local_graph.vertices if vertex.block_type == BlockType.PROVIDER and vertex.name == "aws.test") assert provider_alias.config["aws"]["default_tags"] == [{"tags": [{"test": "Test"}]}] + + def test_multiple_dynamic_blocks_value_not_supporting(self): + resource_paths = [ + os.path.join(TEST_DIRNAME, 'test_resources', 'multiple_dynamic_blocks'), + ] + for path in resource_paths: + graph_manager = TerraformGraphManager('m', ['m']) + local_graph, _ = graph_manager.build_graph_from_source_directory(path, render_variables=True) + + resources_vertex = list(filter(lambda v: v.block_type == BlockType.RESOURCE and v.has_dynamic_block, local_graph.vertices)) + value_block_1 = resources_vertex[0].config['google_sql_database_instance']['instance4-should-fail']['settings'][0]['ip_configuration'][0]['dynamic'][0]['authorized_networks']['content'][0]['value'] + value_block_2 = resources_vertex[0].config['google_sql_database_instance']['instance4-should-fail']['settings'][0]['ip_configuration'][0][ + 'dynamic'][1]['authorized_networks']['content'][0]['value'] + # TODO - for now we don't support multiple dynamic blocks - the value_block_1 and value_block_2 needs to be diffrent and not overide each other + assert not value_block_1 != value_block_2 diff --git a/tests/terraform/graph/variable_rendering/test_resources/multiple_dynamic_blocks/main.tf b/tests/terraform/graph/variable_rendering/test_resources/multiple_dynamic_blocks/main.tf new file mode 100644 index 00000000000..6a194380148 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/test_resources/multiple_dynamic_blocks/main.tf @@ -0,0 +1,31 @@ +resource "google_sql_database_instance" "instance4-should-fail" { + name = "instance" + database_version = "POSTGRES_11" + + settings { + tier = "db-f1-micro" + + ip_configuration { + + dynamic "authorized_networks" { + for_each = google_compute_instance.apps + iterator = apps + + content { + name = apps.value.name + value = apps.value.network_interface.0.access_config.0.nat_ip + } + } + + dynamic "authorized_networks" { + for_each = local.onprem + iterator = onprem + + content { + name = "onprem-${onprem.key}" + value = "0.0.0.0/0" + } + } + } + } +} \ No newline at end of file diff --git a/tests/terraform/image_referencer/provider/test_aws.py b/tests/terraform/image_referencer/provider/test_aws.py index b277abb986f..7fe8d4f8bcf 100644 --- a/tests/terraform/image_referencer/provider/test_aws.py +++ b/tests/terraform/image_referencer/provider/test_aws.py @@ -1,17 +1,15 @@ import os from unittest import mock -import igraph import pytest -from networkx import DiGraph - -from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image from checkov.terraform.image_referencer.provider.aws import AwsTerraformProvider +from tests.graph_utils.utils import GRAPH_FRAMEWORKS, set_graph_by_graph_framework, \ + add_vertices_to_graph_by_graph_framework @mock.patch.dict(os.environ, {"BC_ROOT_DIR": "/tmp/checkov/cshayner/cshayner/terraform-aws-batch/master/src"}) -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources_with_external_module(graph_framework): # given resource = { @@ -61,27 +59,9 @@ def test_extract_images_from_resources_with_external_module(graph_framework): }, "id": "5c440d2a1a5c656290cdf8f98e1d893b1c08f7d7bb7cb93ff97a1884b83c18cc" } - - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - graph.add_vertex( - name='batch', - block_type_='module', - resource_type=module_resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in module_resource else None, - attr=module_resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) - graph.add_node(2, **module_resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) + add_vertices_to_graph_by_graph_framework(graph_framework, module_resource, graph, 2, 'batch', 'module') # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): @@ -107,7 +87,7 @@ def test_extract_images_from_resources_with_external_module(graph_framework): ] -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources(graph_framework): # given resource = { @@ -134,19 +114,8 @@ def test_extract_images_from_resources(graph_framework): ], "resource_type": "aws_ecs_task_definition", } - - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): @@ -172,7 +141,7 @@ def test_extract_images_from_resources(graph_framework): ] -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources_with_no_image(graph_framework): # given resource = { @@ -190,18 +159,8 @@ def test_extract_images_from_resources_with_no_image(graph_framework): ], "resource_type": "aws_ecs_task_definition", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): diff --git a/tests/terraform/image_referencer/provider/test_azure.py b/tests/terraform/image_referencer/provider/test_azure.py index 8d10bcdb84b..557e630c7a3 100644 --- a/tests/terraform/image_referencer/provider/test_azure.py +++ b/tests/terraform/image_referencer/provider/test_azure.py @@ -1,15 +1,13 @@ from unittest import mock -import igraph import pytest -from networkx import DiGraph - -from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image from checkov.terraform.image_referencer.provider.azure import AzureTerraformProvider +from tests.graph_utils.utils import GRAPH_FRAMEWORKS, \ + set_graph_by_graph_framework, add_vertices_to_graph_by_graph_framework -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources(graph_framework): # given resource = { @@ -27,18 +25,8 @@ def test_extract_images_from_resources(graph_framework): }, "resource_type": "azurerm_batch_pool", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): @@ -52,7 +40,7 @@ def test_extract_images_from_resources(graph_framework): ] -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources_with_no_image(graph_framework): # given resource = { @@ -70,18 +58,8 @@ def test_extract_images_from_resources_with_no_image(graph_framework): }, "resource_type": "azurerm_batch_pool", } - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, resource, graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): diff --git a/tests/terraform/image_referencer/provider/test_gcp.py b/tests/terraform/image_referencer/provider/test_gcp.py index 51bfc56e1dd..0688283a599 100644 --- a/tests/terraform/image_referencer/provider/test_gcp.py +++ b/tests/terraform/image_referencer/provider/test_gcp.py @@ -2,25 +2,19 @@ import unittest from unittest import mock -import igraph -from networkx import DiGraph from parameterized import parameterized_class -from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image from checkov.terraform.image_referencer.provider.gcp import GcpTerraformProvider +from tests.graph_utils.utils import set_graph_by_graph_framework, PARAMETERIZED_GRAPH_FRAMEWORKS, \ + add_vertices_to_graph_by_graph_framework -@parameterized_class([ - {"graph_framework": "NETWORKX"}, - {"graph_framework": "IGRAPH"} -]) + +@parameterized_class(PARAMETERIZED_GRAPH_FRAMEWORKS) class TestGcp(unittest.TestCase): def setUp(self) -> None: - if self.graph_framework == 'NETWORKX': # type: ignore - self.graph = DiGraph() - elif self.graph_framework == 'IGRAPH': # type: ignore - self.graph = igraph.Graph() - + self.graph = set_graph_by_graph_framework(self.graph_framework) + def test_extract_images_from_resources(self): # given resource = { @@ -36,16 +30,8 @@ def test_extract_images_from_resources(self): }, "resource_type": "google_cloud_run_service", } - if self.graph_framework == 'NETWORKX': - self.graph.add_node(1, **resource) - elif self.graph_framework == 'IGRAPH': - self.graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) + self.graph = set_graph_by_graph_framework(self.graph_framework) + add_vertices_to_graph_by_graph_framework(self.graph_framework, resource, self.graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': self.graph_framework}): @@ -78,16 +64,8 @@ def test_extract_images_from_resources_with_no_image(self): }, "resource_type": "google_cloud_run_service", } - if self.graph_framework == 'NETWORKX': - self.graph.add_node(1, **resource) - elif self.graph_framework == 'IGRAPH': - self.graph.add_vertex( - name='1', - block_type_='resource', - resource_type=resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in resource else None, - attr=resource, - ) + self.graph = set_graph_by_graph_framework(self.graph_framework) + add_vertices_to_graph_by_graph_framework(self.graph_framework, resource, self.graph) # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': self.graph_framework}): diff --git a/tests/terraform/image_referencer/test_manager.py b/tests/terraform/image_referencer/test_manager.py index f36e5a31cdc..f07b81cf2b3 100644 --- a/tests/terraform/image_referencer/test_manager.py +++ b/tests/terraform/image_referencer/test_manager.py @@ -1,15 +1,13 @@ from unittest import mock -import igraph import pytest -from networkx import DiGraph - -from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.images.image_referencer import Image from checkov.terraform.image_referencer.manager import TerraformImageReferencerManager +from tests.graph_utils.utils import set_graph_by_graph_framework, add_vertices_to_graph_by_graph_framework, \ + GRAPH_FRAMEWORKS -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_extract_images_from_resources(graph_framework): # given aws_resource = { @@ -56,35 +54,10 @@ def test_extract_images_from_resources(graph_framework): }, "resource_type": "google_cloud_run_service", } - - if graph_framework == 'IGRAPH': - graph = igraph.Graph() - graph.add_vertex( - name='first', - block_type_='resource', - resource_type=aws_resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in aws_resource else None, - attr=aws_resource, - ) - graph.add_vertex( - name='2', - block_type_='resource', - resource_type=azure_resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in azure_resource else None, - attr=azure_resource, - ) - graph.add_vertex( - name='3', - block_type_='resource', - resource_type=gcp_resource[ - CustomAttributes.RESOURCE_TYPE] if CustomAttributes.RESOURCE_TYPE in gcp_resource else None, - attr=gcp_resource, - ) - else: - graph = DiGraph() - graph.add_node(1, **aws_resource) - graph.add_node(2, **azure_resource) - graph.add_node(3, **gcp_resource) + graph = set_graph_by_graph_framework(graph_framework) + add_vertices_to_graph_by_graph_framework(graph_framework, aws_resource, graph, 1, 'first') + add_vertices_to_graph_by_graph_framework(graph_framework, azure_resource, graph, 2, '2') + add_vertices_to_graph_by_graph_framework(graph_framework, gcp_resource, graph, 3, '3') # when with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}): diff --git a/tests/terraform/image_referencer/test_plan_runner_aws_resources.py b/tests/terraform/image_referencer/test_plan_runner_aws_resources.py index f595d66964a..b44e2b327f8 100644 --- a/tests/terraform/image_referencer/test_plan_runner_aws_resources.py +++ b/tests/terraform/image_referencer/test_plan_runner_aws_resources.py @@ -13,11 +13,12 @@ mock_get_license_statuses_async, mock_get_image_cached_result_async, ) +from tests.graph_utils.utils import GRAPH_FRAMEWORKS RESOURCES_PATH = Path(__file__).parent / "resources/aws" -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_apprunner_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -79,7 +80,7 @@ def test_apprunner_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_batch_resources(mocker: MockerFixture, graph_framework): # given file_name = "batch_tfplan.json" @@ -121,7 +122,7 @@ def test_batch_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_codebuild_resources(mocker: MockerFixture, graph_framework): # given file_name = "codebuild_tfplan.json" @@ -163,7 +164,7 @@ def test_codebuild_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_ecs_resources(mocker: MockerFixture, graph_framework): # given file_name = "ecs_tfplan.json" @@ -210,7 +211,7 @@ def test_ecs_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_lightsail_resources(mocker: MockerFixture, graph_framework): # given file_name = "lightsail_tfplan.json" diff --git a/tests/terraform/image_referencer/test_runner_aws_resources.py b/tests/terraform/image_referencer/test_runner_aws_resources.py index 7aeb157ec45..6507ea622bf 100644 --- a/tests/terraform/image_referencer/test_runner_aws_resources.py +++ b/tests/terraform/image_referencer/test_runner_aws_resources.py @@ -13,11 +13,12 @@ mock_get_license_statuses_async, mock_get_image_cached_result_async, ) +from tests.graph_utils.utils import GRAPH_FRAMEWORKS RESOURCES_PATH = Path(__file__).parent / "resources/aws" -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_apprunner_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -78,7 +79,8 @@ def test_apprunner_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.skipped_checks) == 0 assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) + +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_batch_resources(mocker: MockerFixture, graph_framework): # given file_name = "batch.tf" @@ -119,7 +121,8 @@ def test_batch_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.skipped_checks) == 0 assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) + +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_codebuild_resources(mocker: MockerFixture, graph_framework): # given file_name = "codebuild.tf" @@ -160,7 +163,8 @@ def test_codebuild_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.skipped_checks) == 0 assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) + +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_ecs_resources(mocker: MockerFixture, graph_framework): # given file_name = "ecs.tf" @@ -206,7 +210,8 @@ def test_ecs_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.skipped_checks) == 0 assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) + +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_lightsail_resources(mocker: MockerFixture, graph_framework): # given file_name = "lightsail.tf" diff --git a/tests/terraform/image_referencer/test_runner_azure_resources.py b/tests/terraform/image_referencer/test_runner_azure_resources.py index f494ef50cfd..a44cbc6de09 100644 --- a/tests/terraform/image_referencer/test_runner_azure_resources.py +++ b/tests/terraform/image_referencer/test_runner_azure_resources.py @@ -9,11 +9,12 @@ from checkov.terraform.runner import Runner from tests.common.image_referencer.test_utils import mock_get_empty_license_statuses_async, \ mock_get_image_cached_result_async +from tests.graph_utils.utils import GRAPH_FRAMEWORKS RESOURCES_PATH = Path(__file__).parent / "resources/azure" -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_batch_resources(mocker: MockerFixture, graph_framework): # given file_name = "batch.tf" @@ -55,7 +56,7 @@ def test_batch_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_containers_resources(mocker: MockerFixture, graph_framework): # given file_name = "containers.tf" @@ -102,7 +103,7 @@ def test_containers_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_app_service_linux_function_resources(mocker: MockerFixture, graph_framework): # given file_name = "app_service_linux_function.tf" @@ -134,7 +135,7 @@ def test_app_service_linux_function_resources(mocker: MockerFixture, graph_frame assert len(tf_report.resources) == 2 assert len(tf_report.passed_checks) == 0 - assert len(tf_report.failed_checks) == 0 + assert len(tf_report.failed_checks) == 2 assert len(tf_report.skipped_checks) == 0 assert len(tf_report.parsing_errors) == 0 @@ -149,7 +150,7 @@ def test_app_service_linux_function_resources(mocker: MockerFixture, graph_frame assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_app_service_linux_web_resources(mocker: MockerFixture, graph_framework): # given file_name = "app_service_linux_web.tf" @@ -181,7 +182,7 @@ def test_app_service_linux_web_resources(mocker: MockerFixture, graph_framework) assert len(tf_report.resources) == 2 assert len(tf_report.passed_checks) == 4 - assert len(tf_report.failed_checks) == 12 + assert len(tf_report.failed_checks) == 13 assert len(tf_report.skipped_checks) == 0 assert len(tf_report.parsing_errors) == 0 @@ -196,7 +197,7 @@ def test_app_service_linux_web_resources(mocker: MockerFixture, graph_framework) assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_spring_cloud_resources(mocker: MockerFixture, graph_framework): # given file_name = "spring_cloud.tf" @@ -238,7 +239,7 @@ def test_spring_cloud_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_app_service_windows_web_resources(mocker: MockerFixture, graph_framework): # given file_name = "app_service_windows_web.tf" @@ -270,7 +271,7 @@ def test_app_service_windows_web_resources(mocker: MockerFixture, graph_framewor assert len(tf_report.resources) == 2 assert len(tf_report.passed_checks) == 4 - assert len(tf_report.failed_checks) == 12 + assert len(tf_report.failed_checks) == 13 assert len(tf_report.skipped_checks) == 0 assert len(tf_report.parsing_errors) == 0 diff --git a/tests/terraform/image_referencer/test_runner_gcp_resources.py b/tests/terraform/image_referencer/test_runner_gcp_resources.py index d43473af087..491972e1219 100644 --- a/tests/terraform/image_referencer/test_runner_gcp_resources.py +++ b/tests/terraform/image_referencer/test_runner_gcp_resources.py @@ -14,11 +14,12 @@ mock_get_license_statuses_async, mock_get_image_cached_result_async, ) +from tests.graph_utils.utils import GRAPH_FRAMEWORKS RESOURCES_PATH = Path(__file__).parent / "resources/gcp" -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_cloud_run_resources(mocker: MockerFixture, graph_framework): from checkov.common.bridgecrew.platform_integration import bc_integration @@ -77,7 +78,7 @@ def test_cloud_run_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_cloud_run_v2_resources(mocker: MockerFixture, graph_framework): # given file_name = "cloud_run_v2.tf" @@ -124,7 +125,7 @@ def test_cloud_run_v2_resources(mocker: MockerFixture, graph_framework): assert len(sca_image_report.parsing_errors) == 0 -@pytest.mark.parametrize("graph_framework", ['NETWORKX', 'IGRAPH']) +@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS) def test_cloudbuild_resources(mocker: MockerFixture, graph_framework): # given file_name = "cloudbuild.tf" diff --git a/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/main.tf b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/main.tf new file mode 100644 index 00000000000..a776539a411 --- /dev/null +++ b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/main.tf @@ -0,0 +1,10 @@ +resource "aws_cloudwatch_log_group" "this" { + count = var.create ? 1 : 0 + + name = var.name + name_prefix = var.name_prefix + retention_in_days = var.retention_in_days + kms_key_id = var.kms_key_id + + tags = var.tags +} diff --git a/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/outputs.tf b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/outputs.tf new file mode 100644 index 00000000000..49cb7cd2999 --- /dev/null +++ b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/outputs.tf @@ -0,0 +1,9 @@ +output "cloudwatch_log_group_name" { + description = "Name of Cloudwatch log group" + value = try(aws_cloudwatch_log_group.this[0].name, "") +} + +output "cloudwatch_log_group_arn" { + description = "ARN of Cloudwatch log group" + value = try(aws_cloudwatch_log_group.this[0].arn, "") +} diff --git a/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/variables.tf b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/variables.tf new file mode 100644 index 00000000000..58608f21b79 --- /dev/null +++ b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/variables.tf @@ -0,0 +1,40 @@ +variable "create" { + description = "Whether to create the Cloudwatch log group" + type = bool + default = true +} + +variable "name" { + description = "A name for the log group" + type = string + default = null +} + +variable "name_prefix" { + description = "A name prefix for the log group" + type = string + default = null +} + +variable "retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653." + type = number + default = null + + validation { + condition = var.retention_in_days == null ? true : contains([0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653], var.retention_in_days) + error_message = "Must be 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 or 0 (zero indicates never expire logs)." + } +} + +variable "kms_key_id" { + description = "The ARN of the KMS Key to use when encrypting logs" + type = string + default = null +} + +variable "tags" { + description = "A map of tags to add to Cloudwatch log group" + type = map(string) + default = {} +} diff --git a/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/versions.tf b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/versions.tf new file mode 100644 index 00000000000..d8dd1a449c5 --- /dev/null +++ b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/log_group/modules/log-group/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } +} diff --git a/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/modules.json b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/modules.json new file mode 100644 index 00000000000..cdea57f4a46 --- /dev/null +++ b/tests/terraform/module_loading/data/tf_managed_modules/.terraform/modules/modules.json @@ -0,0 +1,10 @@ +{ + "Modules": [ + { + "Key": "log_group", + "Source": "registry.terraform.io/terraform-aws-modules/cloudwatch/aws//modules/log-group", + "Version": "4.1.0", + "Dir": ".terraform/modules/log_group/modules/log-group" + } + ] +} \ No newline at end of file diff --git a/tests/terraform/module_loading/data/tf_managed_modules/main.tf b/tests/terraform/module_loading/data/tf_managed_modules/main.tf new file mode 100644 index 00000000000..7f2f3164886 --- /dev/null +++ b/tests/terraform/module_loading/data/tf_managed_modules/main.tf @@ -0,0 +1,14 @@ +module "log_group" { + source = "terraform-aws-modules/cloudwatch/aws//modules/log-group" + + name_prefix = "my-log-group-" + retention_in_days = 7 +} + +module "log_group_v4" { + source = "terraform-aws-modules/cloudwatch/aws//modules/log-group" + version = "~> 4.0" + + name_prefix = "my-log-group-" + retention_in_days = 7 +} diff --git a/tests/terraform/module_loading/test_registry.py b/tests/terraform/module_loading/test_registry.py index 50afd755472..91c8a5cdaa5 100644 --- a/tests/terraform/module_loading/test_registry.py +++ b/tests/terraform/module_loading/test_registry.py @@ -346,7 +346,7 @@ def test_load_local_path(git_getter, tmp_path: Path, source, expected_content_pa "git::https://x-access-token:ghp_xxxxxxxxxxxxxxxxx@github.com/kartikp10/terraform-aws-s3-bucket1", "", ), - ( + ( "git::https://github.com/kartikp10/terraform-aws-s3-bucket1.git", "github.com/kartikp10/terraform-aws-s3-bucket1/HEAD", "https://x-access-token:ghp_xxxxxxxxxxxxxxxxx@github.com/kartikp10/terraform-aws-s3-bucket1.git", @@ -354,7 +354,7 @@ def test_load_local_path(git_getter, tmp_path: Path, source, expected_content_pa "git::https://x-access-token:ghp_xxxxxxxxxxxxxxxxx@github.com/kartikp10/terraform-aws-s3-bucket1.git", "", ), - ( + ( "git@github.com:kartikp10/terraform-aws-s3-bucket1.git", "github.com/kartikp10/terraform-aws-s3-bucket1/HEAD", "https://x-access-token:ghp_xxxxxxxxxxxxxxxxx@github.com/kartikp10/terraform-aws-s3-bucket1.git", @@ -362,7 +362,7 @@ def test_load_local_path(git_getter, tmp_path: Path, source, expected_content_pa "git::https://x-access-token:ghp_xxxxxxxxxxxxxxxxx@github.com/kartikp10/terraform-aws-s3-bucket1.git", "", ), - ( + ( "git::ssh://git@github.com/kartikp10/terraform-aws-s3-bucket1.git", "github.com/kartikp10/terraform-aws-s3-bucket1/HEAD", "https://x-access-token:ghp_xxxxxxxxxxxxxxxxx@github.com/kartikp10/terraform-aws-s3-bucket1.git", @@ -386,7 +386,7 @@ def test_load_local_path(git_getter, tmp_path: Path, source, expected_content_pa "git::https://x-access-token:ghp_xxxxxxxxxxxxxxxxx@github.com/kartikp10/terraform-aws-s3-bucket1.git?ref=v1.2.0", "", ), - ( + ( "git@github.com:kartikp10/terraform-aws-security-group.git//modules/http-80", "github.com/kartikp10/terraform-aws-security-group/HEAD", "https://x-access-token:ghp_xxxxxxxxxxxxxxxxx@github.com/kartikp10/terraform-aws-security-group", @@ -505,3 +505,23 @@ def test_load_terraform_registry_check_cache(tmp_path: Path): # then assert source1 in registry.failed_urls_cache assert source2 in registry.failed_urls_cache + + +def test_loader_equality(): + githubLoaderOne = GithubLoader() + githubLoaderTwo = GithubLoader() + assert githubLoaderOne == githubLoaderTwo + bitLoader = BitbucketLoader() + assert githubLoaderOne != bitLoader + genericLoader = GenericGitLoader() + assert githubLoaderOne != genericLoader and bitLoader != genericLoader + + +def test_multiple_similar_loaders(): + registry = ModuleLoaderRegistry(download_external_modules=True) + assert len(registry.loaders) == 7 + GithubLoader() + GithubLoader() + GenericGitLoader() + BitbucketLoader() + assert len(registry.loaders) == 7 diff --git a/tests/terraform/module_loading/test_runner.py b/tests/terraform/module_loading/test_runner.py new file mode 100644 index 00000000000..e93bde67023 --- /dev/null +++ b/tests/terraform/module_loading/test_runner.py @@ -0,0 +1,52 @@ +import os +from pathlib import Path +from unittest import mock + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner + + +@mock.patch.dict(os.environ, {"CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES": "True"}) +def test_runner_with_tf_managed_modules(): + # given + root_dir = Path(__file__).parent / "data/tf_managed_modules" + + # when + result = Runner().run( + root_folder=str(root_dir), + runner_filter=RunnerFilter(checks=["CKV_AWS_338"], framework=["terraform"], download_external_modules=False), + ) + + # then + summary = result.get_summary() + + assert summary["passed"] == 0 + assert summary["failed"] == 1 + assert summary["skipped"] == 0 + assert summary["parsing_errors"] == 0 + + failed_resources = [check.resource for check in result.failed_checks] + expected_failed_resources = ["module.log_group.aws_cloudwatch_log_group.this[0]"] + + assert failed_resources == expected_failed_resources + + +# test can be removed after setting this flow as default +@mock.patch.dict(os.environ, {"CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES": "False"}) +def test_runner_without_tf_managed_modules(): + # given + root_dir = Path(__file__).parent / "data/tf_managed_modules" + + # when + result = Runner().run( + root_folder=str(root_dir), + runner_filter=RunnerFilter(checks=["CKV_AWS_338"], framework=["terraform"], download_external_modules=False), + ) + + # then + summary = result.get_summary() + + assert summary["passed"] == 0 + assert summary["failed"] == 0 + assert summary["skipped"] == 0 + assert summary["parsing_errors"] == 0 diff --git a/tests/terraform/module_loading/test_tf_module_finder.py b/tests/terraform/module_loading/test_tf_module_finder.py index 7351bad0da3..867fcc947c0 100644 --- a/tests/terraform/module_loading/test_tf_module_finder.py +++ b/tests/terraform/module_loading/test_tf_module_finder.py @@ -1,9 +1,16 @@ import os import shutil import unittest +from pathlib import Path +from unittest import mock from checkov.common.util.consts import DEFAULT_EXTERNAL_MODULES_DIR -from checkov.terraform.module_loading.module_finder import find_modules, should_download, load_tf_modules +from checkov.terraform.module_loading.module_finder import ( + find_modules, + should_download, + load_tf_modules, + replace_terraform_managed_modules, +) from checkov.terraform.module_loading.registry import module_loader_registry @@ -20,7 +27,7 @@ def test_module_finder(self): self.assertEqual(1, len(remote_modules)) for m in remote_modules: if 'terraform-aws-modules' in m.module_link: - self.assertEqual('~>2.1.0', m.version) + self.assertEqual('~> 2.1.0', m.version) else: self.assertIsNone(m.version) @@ -42,3 +49,23 @@ def test_downloader(self): shutil.rmtree(os.path.join(self.get_src_dir(), DEFAULT_EXTERNAL_MODULES_DIR)) self.assertEqual(len(downloaded_modules), 1) self.assertEqual(len(distinct_roots), 1) + + +@mock.patch.dict(os.environ, {"CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES": "True"}) +def test_tf_managed_modules(): + # this test leverages the modules, which Terraform downloads on its own + + # given + src_path = Path(__file__).parent / "data/tf_managed_modules" + modules = find_modules(str(src_path)) + + # when + replaced_modules = replace_terraform_managed_modules(path=str(src_path), found_modules=modules) + + tf_managed_modules = [module for module in replaced_modules if module.tf_managed] + assert len(replaced_modules) == 2 + assert len(tf_managed_modules) == 1 + + assert tf_managed_modules[0].tf_managed is True + assert tf_managed_modules[0].address == "terraform-aws-modules/cloudwatch/aws//modules/log-group:latest" + assert tf_managed_modules[0].module_link == ".terraform/modules/log_group/modules/log-group" diff --git a/tests/terraform/runner/test_plan_runner.py b/tests/terraform/runner/test_plan_runner.py index b4b4efa9de0..ef27ae85faf 100644 --- a/tests/terraform/runner/test_plan_runner.py +++ b/tests/terraform/runner/test_plan_runner.py @@ -16,6 +16,7 @@ from checkov.common.bridgecrew.severities import BcSeverities, Severities from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from checkov.common.graph.db_connectors.rustworkx.rustworkx_db_connector import RustworkxConnector from checkov.common.models.enums import CheckCategories, CheckResult from checkov.runner_filter import RunnerFilter from checkov.terraform import TFDefinitionKey @@ -25,7 +26,8 @@ @parameterized_class([ {"db_connector": NetworkxConnector}, - {"db_connector": IgraphConnector} + {"db_connector": IgraphConnector}, + {"db_connector": RustworkxConnector}, ]) class TestRunnerValid(unittest.TestCase): @classmethod diff --git a/tests/terraform/runner/test_runner.py b/tests/terraform/runner/test_runner.py index 726d71c3d2d..0a36dc09c61 100644 --- a/tests/terraform/runner/test_runner.py +++ b/tests/terraform/runner/test_runner.py @@ -12,6 +12,7 @@ from igraph import Graph from networkx import DiGraph from parameterized import parameterized, parameterized_class +from rustworkx import PyDiGraph from checkov.common.bridgecrew.check_type import CheckType from checkov.common.bridgecrew.severities import Severities, BcSeverities @@ -19,6 +20,7 @@ from checkov.common.checks_infra.registry import get_graph_checks_registry from checkov.common.graph.db_connectors.igraph.igraph_db_connector import IgraphConnector from checkov.common.graph.db_connectors.networkx.networkx_db_connector import NetworkxConnector +from checkov.common.graph.db_connectors.rustworkx.rustworkx_db_connector import RustworkxConnector from checkov.common.graph.graph_builder import CustomAttributes from checkov.common.models.enums import CheckCategories, CheckResult from checkov.common.output.report import Report @@ -41,11 +43,14 @@ EXTERNAL_MODULES_DOWNLOAD_PATH = os.environ.get('EXTERNAL_MODULES_DIR', DEFAULT_EXTERNAL_MODULES_DIR) +# TODO delete igraph @parameterized_class([ {"db_connector": NetworkxConnector, "tf_split_graph": "True", "graph": "NETWORKX"}, {"db_connector": NetworkxConnector, "tf_split_graph": "False", "graph": "NETWORKX"}, {"db_connector": IgraphConnector, "tf_split_graph": "True", "graph": "IGRAPH"}, {"db_connector": IgraphConnector, "tf_split_graph": "False", "graph": "IGRAPH"}, + {"db_connector": RustworkxConnector, "tf_split_graph": "True", "graph": "RUSTWORKX"}, + {"db_connector": RustworkxConnector, "tf_split_graph": "False", "graph": "RUSTWORKX"}, ]) class TestRunnerValid(unittest.TestCase): def setUp(self) -> None: @@ -89,8 +94,12 @@ def test_runner_denylist_checks(self): self.assertIsInstance(report_json, str) self.assertIsNotNone(report_json) self.assertIsNotNone(report.get_test_suite()) - self.assertEqual(report.get_exit_code({'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 1) - self.assertEqual(report.get_exit_code({'soft_fail': True, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 0) + self.assertEqual(report.get_exit_code( + {'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], + 'hard_fail_threshold': None}), 1) + self.assertEqual(report.get_exit_code( + {'soft_fail': True, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], + 'hard_fail_threshold': None}), 0) for record in report.failed_checks: self.assertNotIn(record.check_id, checks_denylist) @@ -103,8 +112,12 @@ def test_runner_valid_tf(self): self.assertIsInstance(report_json, str) self.assertIsNotNone(report_json) self.assertIsNotNone(report.get_test_suite()) - self.assertEqual(report.get_exit_code({'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 1) - self.assertEqual(report.get_exit_code({'soft_fail': True, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 0) + self.assertEqual(report.get_exit_code( + {'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], + 'hard_fail_threshold': None}), 1) + self.assertEqual(report.get_exit_code( + {'soft_fail': True, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], + 'hard_fail_threshold': None}), 0) summary = report.get_summary() self.assertGreaterEqual(summary['passed'], 1) self.assertGreaterEqual(summary['failed'], 1) @@ -126,7 +139,9 @@ def test_runner_passing_valid_tf(self): self.assertIsInstance(report_json, str) self.assertIsNotNone(report_json) self.assertIsNotNone(report.get_test_suite()) - self.assertEqual(report.get_exit_code({'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 1) + self.assertEqual(report.get_exit_code( + {'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], + 'hard_fail_threshold': None}), 1) summary = report.get_summary() self.assertGreaterEqual(summary['passed'], 1) self.assertEqual(9, summary['failed']) @@ -451,9 +466,12 @@ def test_entire_resources_folder(self): runner = Runner(db_connector=self.db_connector()) if isinstance(runner.db_connector, IgraphConnector): result = runner.run(root_folder=valid_dir_path, external_checks_dir=None, runner_filter=RunnerFilter( - checks=['CKV_AWS_21', 'CKV_AWS_42', 'CKV_AWS_62', 'CKV_AWS_53', 'CKV_AWS_18', 'CKV_AWS_61', 'CKV_AWS_144', - 'CKV_AWS_145', 'CKV_AWS_115', 'CKV_AWS_116', 'CKV_AWS_117', 'CKV_AWS_6', 'CKV_AWS_168', 'CKV_AWS_170', - 'CKV_AWS_171', 'CKV_AWS_172', 'CKV_AWS_37', 'CKV_AWS_38', 'CKV_AWS_39', 'CKV_AWS_107', 'CKV_AWS_109', + checks=['CKV_AWS_21', 'CKV_AWS_42', 'CKV_AWS_62', 'CKV_AWS_53', 'CKV_AWS_18', 'CKV_AWS_61', + 'CKV_AWS_144', + 'CKV_AWS_145', 'CKV_AWS_115', 'CKV_AWS_116', 'CKV_AWS_117', 'CKV_AWS_6', 'CKV_AWS_168', + 'CKV_AWS_170', + 'CKV_AWS_171', 'CKV_AWS_172', 'CKV_AWS_37', 'CKV_AWS_38', 'CKV_AWS_39', 'CKV_AWS_107', + 'CKV_AWS_109', 'CKV_AWS_110'], framework=['terraform'])) self.assertEqual(len(result.passed_checks), 52) self.assertEqual(len(result.failed_checks), 255) @@ -867,7 +885,8 @@ def test_external_definitions_context(self): def test_failure_in_resolved_module(self): current_dir = os.path.dirname(os.path.realpath(__file__)) - valid_dir_path = os.path.join(current_dir, "../parser/resources/parser_scenarios/module_matryoshka_nested_module_enable") + valid_dir_path = os.path.join(current_dir, + "../parser/resources/parser_scenarios/module_matryoshka_nested_module_enable") valid_dir_path = os.path.normpath(valid_dir_path) runner = Runner(db_connector=self.db_connector()) checks_allowlist = ['CKV_AWS_20'] @@ -877,8 +896,12 @@ def test_failure_in_resolved_module(self): self.assertIsInstance(report_json, str) self.assertIsNotNone(report_json) self.assertIsNotNone(report.get_test_suite()) - self.assertEqual(report.get_exit_code({'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 1) - self.assertEqual(report.get_exit_code({'soft_fail': True, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 0) + self.assertEqual(report.get_exit_code( + {'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], + 'hard_fail_threshold': None}), 1) + self.assertEqual(report.get_exit_code( + {'soft_fail': True, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], + 'hard_fail_threshold': None}), 0) self.assertEqual(checks_allowlist[0], report.failed_checks[0].check_id) self.assertEqual("/bucket1/bucket2/bucket3/bucket.tf", report.failed_checks[0].file_path) @@ -1039,8 +1062,9 @@ def test_module_skip(self): current_dir = os.path.dirname(os.path.realpath(__file__)) report = Runner(db_connector=self.db_connector()).run(root_folder=f"{current_dir}/resources/module_skip", - external_checks_dir=None, - runner_filter=RunnerFilter(checks="CKV_AWS_19")) # bucket encryption + external_checks_dir=None, + runner_filter=RunnerFilter( + checks="CKV_AWS_19")) # bucket encryption self.assertEqual(len(report.skipped_checks), 5) self.assertEqual(len(report.failed_checks), 0) @@ -1086,9 +1110,10 @@ def test_nested_modules_caller_file(self): def test_module_failure_reporting_772(self): current_dir = os.path.dirname(os.path.realpath(__file__)) - report = Runner(db_connector=self.db_connector()).run(root_folder=f"{current_dir}/resources/module_failure_reporting_772", - external_checks_dir=None, - runner_filter=RunnerFilter(checks="CKV_AWS_143")) # bucket encryption + report = Runner(db_connector=self.db_connector()).run( + root_folder=f"{current_dir}/resources/module_failure_reporting_772", + external_checks_dir=None, + runner_filter=RunnerFilter(checks="CKV_AWS_143")) # bucket encryption self.assertEqual(len(report.failed_checks), 2) self.assertEqual(len(report.passed_checks), 0) @@ -1193,7 +1218,9 @@ def test_loading_external_checks_python_and_yaml(self): runner.graph_registry.checks[:] = [check for check in runner.graph_registry.checks if "CUSTOM" not in check.id] def test_wrong_check_imports(self): - wrong_imports = ("checkov.arm", "checkov.cloudformation", "checkov.dockerfile", "checkov.helm", "checkov.kubernetes", "checkov.serverless") + wrong_imports = ( + "checkov.arm", "checkov.cloudformation", "checkov.dockerfile", "checkov.helm", "checkov.kubernetes", + "checkov.serverless") check_imports = [] checks_path = Path(inspect.getfile(Runner)).parent.joinpath("checks") @@ -1297,16 +1324,20 @@ def test_unrendered_simple_var(self): runner = Runner(db_connector=self.db_connector()) runner_filter = RunnerFilter(framework=['terraform'], checks=checks) - report = runner.run(root_folder=None, files=[file_to_scan], external_checks_dir=[resources_dir], runner_filter=runner_filter) + report = runner.run(root_folder=None, files=[file_to_scan], external_checks_dir=[resources_dir], + runner_filter=runner_filter) # plus 1 unknown self.assertEqual(len(report.passed_checks), 3) self.assertEqual(len(report.failed_checks), 0) - self.assertTrue(any(r.check_id == 'BUCKET_EXISTS' and r.resource == 'aws_s3_bucket.known_simple_pass' for r in report.passed_checks)) - self.assertTrue(any(r.check_id == 'BUCKET_EQUALS' and r.resource == 'aws_s3_bucket.known_simple_pass' for r in report.passed_checks)) + self.assertTrue(any(r.check_id == 'BUCKET_EXISTS' and r.resource == 'aws_s3_bucket.known_simple_pass' for r in + report.passed_checks)) + self.assertTrue(any(r.check_id == 'BUCKET_EQUALS' and r.resource == 'aws_s3_bucket.known_simple_pass' for r in + report.passed_checks)) - self.assertTrue(any(r.check_id == 'BUCKET_EXISTS' and r.resource == 'aws_s3_bucket.unknown_simple' for r in report.passed_checks)) + self.assertTrue(any(r.check_id == 'BUCKET_EXISTS' and r.resource == 'aws_s3_bucket.unknown_simple' for r in + report.passed_checks)) def test_unrendered_nested_var(self): resources_dir = os.path.join( @@ -1316,22 +1347,37 @@ def test_unrendered_nested_var(self): runner = Runner(db_connector=self.db_connector()) runner_filter = RunnerFilter(framework=['terraform'], checks=checks) - report = runner.run(root_folder=None, files=[file_to_scan], external_checks_dir=[resources_dir], runner_filter=runner_filter) + report = runner.run(root_folder=None, files=[file_to_scan], external_checks_dir=[resources_dir], + runner_filter=runner_filter) # plus 3 unknown self.assertEqual(len(report.passed_checks), 5) self.assertEqual(len(report.failed_checks), 2) - self.assertTrue(any(r.check_id == 'COMPONENT_EXISTS' and r.resource == 'aws_s3_bucket.unknown_nested_2_pass' for r in report.passed_checks)) - - self.assertTrue(any(r.check_id == 'COMPONENT_EXISTS' and r.resource == 'aws_s3_bucket.known_nested_pass' for r in report.passed_checks)) - self.assertTrue(any(r.check_id == 'COMPONENT_EQUALS' and r.resource == 'aws_s3_bucket.known_nested_pass' for r in report.passed_checks)) - - self.assertTrue(any(r.check_id == 'COMPONENT_EXISTS' and r.resource == 'aws_s3_bucket.known_nested_2_pass' for r in report.passed_checks)) - self.assertTrue(any(r.check_id == 'COMPONENT_EQUALS' and r.resource == 'aws_s3_bucket.known_nested_2_pass' for r in report.passed_checks)) - - self.assertTrue(any(r.check_id == 'COMPONENT_EXISTS' and r.resource == 'aws_s3_bucket.known_nested_fail' for r in report.failed_checks)) - self.assertTrue(any(r.check_id == 'COMPONENT_EQUALS' and r.resource == 'aws_s3_bucket.known_nested_fail' for r in report.failed_checks)) + self.assertTrue(any( + r.check_id == 'COMPONENT_EXISTS' and r.resource == 'aws_s3_bucket.unknown_nested_2_pass' for r in + report.passed_checks)) + + self.assertTrue(any( + r.check_id == 'COMPONENT_EXISTS' and r.resource == 'aws_s3_bucket.known_nested_pass' for r in + report.passed_checks)) + self.assertTrue(any( + r.check_id == 'COMPONENT_EQUALS' and r.resource == 'aws_s3_bucket.known_nested_pass' for r in + report.passed_checks)) + + self.assertTrue(any( + r.check_id == 'COMPONENT_EXISTS' and r.resource == 'aws_s3_bucket.known_nested_2_pass' for r in + report.passed_checks)) + self.assertTrue(any( + r.check_id == 'COMPONENT_EQUALS' and r.resource == 'aws_s3_bucket.known_nested_2_pass' for r in + report.passed_checks)) + + self.assertTrue(any( + r.check_id == 'COMPONENT_EXISTS' and r.resource == 'aws_s3_bucket.known_nested_fail' for r in + report.failed_checks)) + self.assertTrue(any( + r.check_id == 'COMPONENT_EQUALS' and r.resource == 'aws_s3_bucket.known_nested_fail' for r in + report.failed_checks)) def test_no_duplicate_results(self): resources_path = os.path.join( @@ -1377,14 +1423,16 @@ def test_runner_exclude_file(self): current_dir = os.path.dirname(os.path.realpath(__file__)) path_to_scan = os.path.join(current_dir, 'resources', 'nested_dir', 'dir1') runner = Runner(db_connector=self.db_connector()) - report = runner.run(root_folder=path_to_scan, external_checks_dir=None, runner_filter=RunnerFilter(framework=["terraform"], excluded_paths=['example.tf'])) + report = runner.run(root_folder=path_to_scan, external_checks_dir=None, + runner_filter=RunnerFilter(framework=["terraform"], excluded_paths=['example.tf'])) self.assertEqual(0, len(report.resources)) def test_runner_exclude_dir(self): current_dir = os.path.dirname(os.path.realpath(__file__)) path_to_scan = os.path.join(current_dir, 'resources', 'nested_dir') runner = Runner(db_connector=self.db_connector()) - report = runner.run(root_folder=path_to_scan, external_checks_dir=None, runner_filter=RunnerFilter(framework=["terraform"], excluded_paths=['dir1'])) + report = runner.run(root_folder=path_to_scan, external_checks_dir=None, + runner_filter=RunnerFilter(framework=["terraform"], excluded_paths=['dir1'])) self.assertEqual(1, len(report.resources)) def test_runner_merge_operator(self): @@ -1394,7 +1442,8 @@ def test_runner_merge_operator(self): extra_checks_dir_path = [current_dir + "/resources/merge_operator/query"] runner = Runner(db_connector=self.db_connector()) - report = runner.run(root_folder=tf_dir_path, external_checks_dir=extra_checks_dir_path, runner_filter=RunnerFilter(checks=["CKV2_AWS_200"])) + report = runner.run(root_folder=tf_dir_path, external_checks_dir=extra_checks_dir_path, + runner_filter=RunnerFilter(checks=["CKV2_AWS_200"])) self.assertEqual(1, len(report.passed_checks)) @@ -1417,7 +1466,8 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: check = AnyFailingCheck() check.severity = Severities[BcSeverities.LOW] - scan_file_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), "resources", "valid_tf_only_failed_checks", "example_acl_fail.tf") + scan_file_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), "resources", + "valid_tf_only_failed_checks", "example_acl_fail.tf") report = Runner(db_connector=self.db_connector()).run( None, @@ -1494,7 +1544,6 @@ def scan_hidden_dir(self): def test_severity_check_filter(self): custom_check_id = "MY_CUSTOM_CHECK" - resource_registry.checks = defaultdict(list) class AnyFailingCheck(BaseResourceCheck): @@ -1526,7 +1575,6 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: def test_severity_skip_check_filter_omit(self): custom_check_id = "MY_CUSTOM_CHECK" - resource_registry.checks = defaultdict(list) class AnyFailingCheck(BaseResourceCheck): @@ -1558,7 +1606,6 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: def test_severity_skip_check_filter_include(self): custom_check_id = "MY_CUSTOM_CHECK" - resource_registry.checks = defaultdict(list) class AnyFailingCheck(BaseResourceCheck): @@ -1593,7 +1640,8 @@ def tearDown(self): @parameterized.expand([ (NetworkxConnector,), - (IgraphConnector,) + (IgraphConnector,), + (RustworkxConnector,) ]) def test_get_graph_resource_entity_config(self, graph_connector): current_dir = os.path.dirname(os.path.realpath(__file__)) @@ -1610,13 +1658,51 @@ def test_get_graph_resource_entity_config(self, graph_connector): for data in graph_connector.vs.select()["attr"]: config = Runner.get_graph_resource_entity_config(data) self.assertIn(CustomAttributes.TF_RESOURCE_ADDRESS, config) + if isinstance(graph_connector, PyDiGraph): + for _, data in graph_connector.nodes(): + config = Runner.get_graph_resource_entity_config(data) + self.assertIn(CustomAttributes.TF_RESOURCE_ADDRESS, config) @mock.patch.dict(os.environ, {"ENABLE_DEFINITION_KEY": "True"}) def test_entity_context_fetching_with_TFDefinitionKey(self): runner = Runner(db_connector=self.db_connector()) - full_file_path = TFDefinitionKey(file_path='/tmp/checkov/1069803756901857280/prisma-new-user/TestAutomationRepo_7-30-2023-1-38-24-PM/pr/4/58a43cb0e5daee00398b6c892c9287438c7c74ea/diff/src/file1.tf', tf_source_modules=None) - runner.context = {full_file_path: {'resource': {'aws_lb_listener': {'https1': {'start_line': 1, 'end_line': 7, 'code_lines': [[1, 'resource "aws_lb_listener" "https1" {\n'], [2, ' load_balancer_arn = ""\n'], [3, ' protocol = "HTTPS"\n'], [4, ' default_action {\n'], [5, ' type = ""\n'], [6, ' }\n'], [7, '}']], 'skipped_checks': []}}}}} - entity_with_found_path = {'block_name_': 'aws_lb_listener.https1', 'block_type_': 'resource', 'file_path_': '/tmp/checkov/1069803756901857280/prisma-new-user/TestAutomationRepo_7-30-2023-1-38-24-PM/pr/4/58a43cb0e5daee00398b6c892c9287438c7c74ea/diff/src/file1.tf', 'config_': {'aws_lb_listener': {'https1': {'__end_line__': 7, '__start_line__': 1, 'default_action': [{'type': ['']}], 'load_balancer_arn': [''], 'protocol': ['HTTPS'], '__address__': 'aws_lb_listener.https1'}}}, 'attributes_': {'__end_line__': 7, '__start_line__': 1, 'default_action': {'type': ''}, 'load_balancer_arn': [''], 'protocol': ['HTTPS'], 'resource_type': ['aws_lb_listener'], 'default_action.type': '', '__address__': 'aws_lb_listener.https1'}, 'label_': 'resource: aws_lb_listener.https1', 'id_': 'aws_lb_listener.https1', 'customer_name_': '1069803756901857280', 'account_id_': 'prisma-new-user/TestAutomationRepo_7-30-2023-1-38-24-PM/CICD/243676', 'unique_tag_': 'prod', 'source_': 'terraform', 'violations_count_': 0, 'region_': '', '__end_line__': 7, '__start_line__': 1, 'default_action': {'type': ''}, 'default_action.type': '', 'load_balancer_arn': '', 'protocol': 'HTTPS', 'resource_type': 'aws_lb_listener', '__address__': 'aws_lb_listener.https1', 'module_dependency_': '', 'module_dependency_num_': '', 'hash': 'd61bc3a35537776896f83679a51e63d3a6074f66b368bc4fea07871d282875e9'} + full_file_path = TFDefinitionKey( + file_path='/tmp/checkov/1069803756901857280/prisma-new-user/TestAutomationRepo_7-30-2023-1-38-24-PM/pr/4/58a43cb0e5daee00398b6c892c9287438c7c74ea/diff/src/file1.tf', + tf_source_modules=None) + runner.context = {full_file_path: {'resource': {'aws_lb_listener': {'https1': {'start_line': 1, 'end_line': 7, + 'code_lines': [[1, + 'resource "aws_lb_listener" "https1" {\n'], + [2, + ' load_balancer_arn = ""\n'], + [3, + ' protocol = "HTTPS"\n'], + [4, + ' default_action {\n'], + [5, + ' type = ""\n'], + [6, ' }\n'], + [7, '}']], + 'skipped_checks': []}}}}} + entity_with_found_path = {'block_name_': 'aws_lb_listener.https1', 'block_type_': 'resource', + 'file_path_': '/tmp/checkov/1069803756901857280/prisma-new-user/TestAutomationRepo_7-30-2023-1-38-24-PM/pr/4/58a43cb0e5daee00398b6c892c9287438c7c74ea/diff/src/file1.tf', + 'config_': {'aws_lb_listener': {'https1': {'__end_line__': 7, '__start_line__': 1, + 'default_action': [{'type': ['']}], + 'load_balancer_arn': [''], + 'protocol': ['HTTPS'], + '__address__': 'aws_lb_listener.https1'}}}, + 'attributes_': {'__end_line__': 7, '__start_line__': 1, + 'default_action': {'type': ''}, 'load_balancer_arn': [''], + 'protocol': ['HTTPS'], 'resource_type': ['aws_lb_listener'], + 'default_action.type': '', '__address__': 'aws_lb_listener.https1'}, + 'label_': 'resource: aws_lb_listener.https1', 'id_': 'aws_lb_listener.https1', + 'customer_name_': '1069803756901857280', + 'account_id_': 'prisma-new-user/TestAutomationRepo_7-30-2023-1-38-24-PM/CICD/243676', + 'unique_tag_': 'prod', 'source_': 'terraform', 'violations_count_': 0, 'region_': '', + '__end_line__': 7, '__start_line__': 1, 'default_action': {'type': ''}, + 'default_action.type': '', 'load_balancer_arn': '', 'protocol': 'HTTPS', + 'resource_type': 'aws_lb_listener', '__address__': 'aws_lb_listener.https1', + 'module_dependency_': '', 'module_dependency_num_': '', + 'hash': 'd61bc3a35537776896f83679a51e63d3a6074f66b368bc4fea07871d282875e9'} entity_context = runner.get_entity_context_and_evaluations(entity_with_found_path) assert entity_context is not None assert entity_context['start_line'] == 1 and entity_context['end_line'] == 7