diff --git a/.github/exclude-patterns.txt b/.github/exclude-patterns.txt index 9a3276ef980..2d8ced84f13 100644 --- a/.github/exclude-patterns.txt +++ b/.github/exclude-patterns.txt @@ -34,3 +34,4 @@ tests/terraform/runner/tf_plan_skip_check_regex/resource/.* tests/terraform/runner/tfplan2.json .*Scans.md .*Pipfile.lock +cdk_integration_tests/src/python \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index faef0dbeaa4..c417cd943eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -103,8 +103,6 @@ jobs: - name: Install pipenv run: | python -m pip install --no-cache-dir --upgrade pipenv - - name: Clone Terragoat - vulnerable terraform - run: git clone https://github.com/bridgecrewio/terragoat - name: Build & install checkov package run: | # remove venv, if exists @@ -112,7 +110,9 @@ jobs: pipenv --python ${{ env.PYTHON_VERSION }} pipenv run pip install pytest pytest-xdist pipenv run python setup.py sdist bdist_wheel - pipenv run pip install dist/checkov-*.whl + bash -c 'pipenv run pip install dist/checkov-*.whl' + - name: Clone Terragoat - vulnerable terraform + run: git clone https://github.com/bridgecrewio/terragoat - name: Run checkov with Prisma creds env: PRISMA_KEY: ${{ secrets.PRISMA_KEY }} @@ -121,6 +121,44 @@ jobs: pipenv run checkov -s -d terragoat --bc-api-key "$PRISMA_KEY" --repo-id yuvalyacoby/terragoat > checkov_report_prisma.txt grep "prismacloud.io" checkov_report_prisma.txt exit $? + sast-integration-tests: + strategy: + fail-fast: true + matrix: + python: ["3.8", "3.11"] + os: [ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + continue-on-error: true # for now it is ok to fail + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3 + - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 + with: + python-version: ${{ matrix.python }} + - name: Install pipenv + run: | + python -m pip install --no-cache-dir --upgrade pipenv + - name: Build & install checkov package + run: | + # remove venv, if exists + pipenv --rm || true + pipenv --python ${{ matrix.python }} + pipenv run pip install pytest pytest-xdist + pipenv run python setup.py sdist bdist_wheel + bash -c 'pipenv run pip install dist/checkov-*.whl' + - name: Clone flask - Python repo for SAST + run: git clone https://github.com/pallets/flask + - name: Clone WebGoat - Java repo for SAST + run: git clone https://github.com/WebGoat/WebGoat + - name: Clone axios - JavaScript repo for SAST + run: git clone https://github.com/axios/axios + - name: Create checkov reports + env: + LOG_LEVEL: INFO + BC_API_KEY: ${{ secrets.BC_API_KEY }} + run: bash -c './sast_integration_tests/prepare_data.sh' + - name: Run integration tests + run: | + pipenv run pytest sast_integration_tests unit-tests: timeout-minutes: 30 runs-on: ubuntu-latest @@ -154,7 +192,7 @@ jobs: run: | pipenv run python -m pytest tests bump-version: - needs: [integration-tests, unit-tests, prisma-tests] + needs: [integration-tests, unit-tests, prisma-tests] # add 'sast-integration-tests' when ready runs-on: [self-hosted, public, linux, x64] environment: release permissions: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 43792dad2ce..34f75ee547c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -39,7 +39,7 @@ jobs: - name: Build GitHub Release changelog if: steps.prepare_release.outputs.create_release == 'true' id: build_github_release - uses: mikepenz/release-changelog-builder-action@6fd5cc6eaf7567dbd0f9666061215bb476f012fc # v3 + uses: mikepenz/release-changelog-builder-action@81ca5f10b8c238cbc36e53691a39273636d7d1f6 # v3 env: GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRET }} with: diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 8544f760eb7..743c03f37c8 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -156,7 +156,6 @@ jobs: python-version: ${{ matrix.python }} cache: "pipenv" cache-dependency-path: "Pipfile.lock" - - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 - name: Install pipenv run: | python -m pip install --no-cache-dir --upgrade pipenv @@ -202,7 +201,6 @@ jobs: python-version: ${{ matrix.python }} cache: "pipenv" cache-dependency-path: "Pipfile.lock" - - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 - name: Install pipenv run: | python -m pip install --no-cache-dir --upgrade pipenv diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 018a96e65ee..61db2067e35 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,7 +18,7 @@ repos: - id: teyit language_version: python3.9 - repo: https://github.com/rhysd/actionlint - rev: v1.6.25 + rev: v1.6.26 hooks: - id: actionlint-docker # SC2129 - Consider using { cmd1; cmd2; } >> file instead of individual redirects. @@ -33,7 +33,7 @@ repos: additional_dependencies: - vistir<0.7.0 # can be removed, when v4.0.0 of pipenv-setup comes out - repo: https://github.com/seddonym/import-linter # checks the import dependencies between each other - rev: v1.12.0 + rev: v1.12.1 hooks: - id: import-linter language_version: python3.9 diff --git a/CHANGELOG.md b/CHANGELOG.md index 6145297eb5f..b57795a7722 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,56 @@ # CHANGELOG -## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.14...HEAD) +## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.25...HEAD) + +## [3.0.25](https://github.com/bridgecrewio/checkov/compare/3.0.24...3.0.25) - 2023-11-07 + +### Bug Fix + +- **general:** do not require a repo ID when using an API key and --list - [#5726](https://github.com/bridgecrewio/checkov/pull/5726) + +## [3.0.24](https://github.com/bridgecrewio/checkov/compare/3.0.21...3.0.24) - 2023-11-06 + +### Feature + +- **sast:** add new python CDK policies - [#5706](https://github.com/bridgecrewio/checkov/pull/5706) +- **terraform:** Ensure that only critical system pods run on system nodes - [#5665](https://github.com/bridgecrewio/checkov/pull/5665) + +## [3.0.21](https://github.com/bridgecrewio/checkov/compare/3.0.19...3.0.21) - 2023-11-05 + +### Feature + +- **terraform:** Ensure App Service Environment is zone redundant - [#5662](https://github.com/bridgecrewio/checkov/pull/5662) +- **terraform:** Ensure that Standard Replication is enabled - [#5649](https://github.com/bridgecrewio/checkov/pull/5649) + +### Bug Fix + +- **sca:** Setting only relevant cves for the extracted reachable functions with risk factor of ReachableFunction as True - [#5715](https://github.com/bridgecrewio/checkov/pull/5715) +- **terraform:** CKV_AWS_208 valid Amazon MQ versions - [#5653](https://github.com/bridgecrewio/checkov/pull/5653) + +## [3.0.19](https://github.com/bridgecrewio/checkov/compare/3.0.16...3.0.19) - 2023-11-02 + +### Feature + +- **sca:** adjusting the cli-output to support indicating of reachable functions - [#5713](https://github.com/bridgecrewio/checkov/pull/5713) +- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5637](https://github.com/bridgecrewio/checkov/pull/5637) +- **terraform:** bigtable deletion protection [depends on #5625] - [#5626](https://github.com/bridgecrewio/checkov/pull/5626) +- **terraform:** drop and deletion checks for spanner - [#5625](https://github.com/bridgecrewio/checkov/pull/5625) + +### Bug Fix + +- **sast:** add cveid to reachability report - [#5708](https://github.com/bridgecrewio/checkov/pull/5708) + +## [3.0.16](https://github.com/bridgecrewio/checkov/compare/3.0.15...3.0.16) - 2023-11-01 + +### Feature + +- **sca:** Extending reachability post-runner in checkov and enriching cves with ReachableFunction data - [#5707](https://github.com/bridgecrewio/checkov/pull/5707) + +## [3.0.15](https://github.com/bridgecrewio/checkov/compare/3.0.14...3.0.15) - 2023-10-31 + +### Bug Fix + +- **general:** fix duplicate components in CycloneDX report - [#5705](https://github.com/bridgecrewio/checkov/pull/5705) ## [3.0.14](https://github.com/bridgecrewio/checkov/compare/3.0.13...3.0.14) - 2023-10-30 diff --git a/cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py b/cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py new file mode 100644 index 00000000000..343c5d950cc --- /dev/null +++ b/cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py @@ -0,0 +1,50 @@ +from aws_cdk import core +from aws_cdk import aws_apigateway as apigateway +from aws_cdk import aws_sam as sam +class MyApiGatewayStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an API Gateway stage with cache cluster enabled + api = apigateway.RestApi( + self, + "MyApi", + rest_api_name="MyApiName", + ) + + stage = apigateway.Stage( + self, + "MyApiStage", + stage_name="prod", # Replace with your desired stage name + deployment=api.latest_deployment, + ) + +class MySAMApiStack2(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a Serverless API with cache cluster enabled + sam_api = sam.CfnApi( + self, + "MySAMApi", + stage_name="prod", # Specify the stage name + definition_body={ + "openapi": "3.0.1", + "info": { + "title": "MyAPI", + }, + "paths": { + "/example": { + "get": { + "responses": { + "200": { + "description": "A sample response", + }, + }, + }, + }, + }, + }, + ) diff --git a/cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py b/cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py new file mode 100644 index 00000000000..8c1cea94c70 --- /dev/null +++ b/cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py @@ -0,0 +1,54 @@ +from aws_cdk import core +from aws_cdk import aws_apigateway as apigateway +from aws_cdk import aws_sam as sam +class MyApiGatewayStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an API Gateway stage with cache cluster enabled + api = apigateway.RestApi( + self, + "MyApi", + rest_api_name="MyApiName", + ) + + stage = apigateway.Stage( + self, + "MyApiStage", + stage_name="prod", # Replace with your desired stage name + deployment=api.latest_deployment, + cache_cluster_enabled=True, # Enable cache cluster + cache_cluster_size="0.5", # Specify the cache cluster size + ) + +class MySAMApiStack2(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a Serverless API with cache cluster enabled + sam_api = sam.CfnApi( + self, + "MySAMApi", + cacheClusterEnabled=True, # Enable cache cluster + cacheClusterSize="0.5", # Specify the cache cluster size + stage_name="prod", # Specify the stage name + definition_body={ + "openapi": "3.0.1", + "info": { + "title": "MyAPI", + }, + "paths": { + "/example": { + "get": { + "responses": { + "200": { + "description": "A sample response", + }, + }, + }, + }, + }, + }, + ) diff --git a/cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py b/cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py new file mode 100644 index 00000000000..d0c01aa2d9e --- /dev/null +++ b/cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py @@ -0,0 +1,14 @@ +from aws_cdk import core +from aws_cdk import aws_backup as backup + +class MyBackupStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a Backup Vault with the specified encryption key ARN + backup_vault = backup.CfnBackupVault( + self, + "MyBackupVault", + name="MyBackupVault", + ) diff --git a/cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py b/cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py new file mode 100644 index 00000000000..72ebd6bf835 --- /dev/null +++ b/cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py @@ -0,0 +1,18 @@ +from aws_cdk import core +from aws_cdk import aws_backup as backup + +class MyBackupStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Replace 'your-encryption-key-arn' with the actual KMS key ARN you want to use + encryption_key_arn = 'your-encryption-key-arn' + + # Create a Backup Vault with the specified encryption key ARN + backup_vault = backup.CfnBackupVault( + self, + "MyBackupVault", + name="MyBackupVault", + encryption_key_arn=encryption_key_arn, + ) diff --git a/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py b/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py new file mode 100644 index 00000000000..092522c82e4 --- /dev/null +++ b/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py @@ -0,0 +1,16 @@ +from aws_cdk import core +from aws_cdk import aws_logs as logs + +class MyBadLogGroupStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a CloudWatch Logs log group without specifying KMS key + log_group = logs.LogGroup( + self, + "MyBadLogGroup", + log_group_name="MyLogGroupName", + retention=logs.RetentionDays.ONE_MONTH, # Set the retention policy as needed + # KMS key is not specified + ) diff --git a/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py b/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py new file mode 100644 index 00000000000..a40e6fa1d96 --- /dev/null +++ b/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py @@ -0,0 +1,16 @@ +from aws_cdk import core +from aws_cdk import aws_logs as logs + +class MyLogGroupStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a CloudWatch Logs log group with KMS key ID + log_group = logs.LogGroup( + self, + "MyLogGroup", + log_group_name="MyLogGroupName", + retention=logs.RetentionDays.ONE_MONTH, # Set the retention policy as needed + kms_key=1, # Specify the KMS key + ) diff --git a/cdk_integration_tests/src/python/DAXEncryption/fail__1__.py b/cdk_integration_tests/src/python/DAXEncryption/fail__1__.py new file mode 100644 index 00000000000..ff3f5aaf3fa --- /dev/null +++ b/cdk_integration_tests/src/python/DAXEncryption/fail__1__.py @@ -0,0 +1,20 @@ +from aws_cdk import core +from aws_cdk import aws_dax as dax + +class DAXClusterStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a DAX cluster + dax_cluster = dax.CfnCluster( + self, "MyDAXCluster", + cluster_name="MyDAXCluster", + description="My DAX Cluster", + iam_role_arn="arn:aws:iam::123456789012:role/DAXServiceRole", + node_type="dax.r5.large", + replication_factor=2, + ) + +app = core.App() +DAXClusterStack(app, "DAXClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/DAXEncryption/pass.py b/cdk_integration_tests/src/python/DAXEncryption/pass.py new file mode 100644 index 00000000000..44dcfae288b --- /dev/null +++ b/cdk_integration_tests/src/python/DAXEncryption/pass.py @@ -0,0 +1,24 @@ +from aws_cdk import core +from aws_cdk import aws_dax as dax + +class DAXClusterStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a DAX cluster + dax_cluster = dax.CfnCluster( + self, "MyDAXCluster", + cluster_name="MyDAXCluster", + description="My DAX Cluster", + iam_role_arn="arn:aws:iam::123456789012:role/DAXServiceRole", + node_type="dax.r5.large", + replication_factor=2, + sse_specification=dax.CfnCluster.SSESpecificationProperty( + enabled=True, # Enable server-side encryption + kms_key_id="arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id" + ) + ) + +app = core.App() +DAXClusterStack(app, "DAXClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py b/cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py new file mode 100644 index 00000000000..4df7382b011 --- /dev/null +++ b/cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py @@ -0,0 +1,18 @@ +from aws_cdk import core +from aws_cdk import aws_docdb as docdb + +class MyDocDBClusterStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an Amazon DocumentDB cluster with storage encryption disabled + docdb_cluster = docdb.CfnDBCluster( + self, + "MyDocDBCluster", + db_cluster_identifier="my-docdb-cluster", + master_username="admin", + master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret + availability_zones=["us-east-1a", "us-east-1b"], # Specify the availability zones + port=27017, # Specify the port as needed + ) diff --git a/cdk_integration_tests/src/python/DocDBEncryption/pass.py b/cdk_integration_tests/src/python/DocDBEncryption/pass.py new file mode 100644 index 00000000000..7125a8827c3 --- /dev/null +++ b/cdk_integration_tests/src/python/DocDBEncryption/pass.py @@ -0,0 +1,19 @@ +from aws_cdk import core +from aws_cdk import aws_docdb as docdb + +class MyDocDBClusterStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an Amazon DocumentDB cluster with storage encryption enabled + docdb_cluster = docdb.CfnDBCluster( + self, + "MyDocDBCluster", + db_cluster_identifier="my-docdb-cluster", + master_username="admin", + master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret + storage_encrypted=True, # Enable storage encryption + availability_zones=["us-east-1a", "us-east-1b"], # Specify the availability zones + port=27017, # Specify the port as needed + ) diff --git a/cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/fail__1__.py b/cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/fail__1__.py new file mode 100644 index 00000000000..e1f38c52ee2 --- /dev/null +++ b/cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/fail__1__.py @@ -0,0 +1,20 @@ +from aws_cdk import core +from aws_cdk import aws_dynamodb as dynamodb + +class DynamoDBGlobalTableStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a DynamoDB Global Table + global_table = dynamodb.CfnGlobalTable( + self, "MyGlobalTable", + replication_group=[{"region_name": "us-east-1"}, {"region_name": "us-west-2"}], + table_name="MyGlobalTable", + replicas=[ + dynamodb.CfnGlobalTable.ReplicaSpecificationProperty( + point_in_time_recovery_specification=dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty( + point_in_time_recovery_enabled=False + ) + ) + ] + ) diff --git a/cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/pass.py b/cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/pass.py new file mode 100644 index 00000000000..d3d1bf05174 --- /dev/null +++ b/cdk_integration_tests/src/python/DynamodbGlobalTableRecovery/pass.py @@ -0,0 +1,20 @@ +from aws_cdk import core +from aws_cdk import aws_dynamodb as dynamodb + +class DynamoDBGlobalTableStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a DynamoDB Global Table + global_table = dynamodb.CfnGlobalTable( + self, "MyGlobalTable", + replication_group=[{"region_name": "us-east-1"}, {"region_name": "us-west-2"}], + table_name="MyGlobalTable", + replicas=[ + dynamodb.CfnGlobalTable.ReplicaSpecificationProperty( + point_in_time_recovery_specification=dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty( + point_in_time_recovery_enabled=True + ) + ) + ] + ) \ No newline at end of file diff --git a/cdk_integration_tests/src/python/DynamodbRecovery/fail__1__.py b/cdk_integration_tests/src/python/DynamodbRecovery/fail__1__.py new file mode 100644 index 00000000000..f69cb5f9d08 --- /dev/null +++ b/cdk_integration_tests/src/python/DynamodbRecovery/fail__1__.py @@ -0,0 +1,17 @@ +from aws_cdk import core +from aws_cdk import aws_dynamodb as dynamodb + +class MyDynamoDBStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a DynamoDB table with PointInTimeRecoveryEnabled set to True + dynamodb_table = dynamodb.Table( + self, + "MyDynamoDBTable", + table_name="MyTableName", + partition_key=dynamodb.Attribute(name="PartitionKey", type=dynamodb.AttributeType.STRING), + point_in_time_recovery=False, # Set PointInTimeRecoveryEnabled to True + removal_policy=core.RemovalPolicy.DESTROY, # Specify the removal policy as needed + ) diff --git a/cdk_integration_tests/src/python/DynamodbRecovery/pass.py b/cdk_integration_tests/src/python/DynamodbRecovery/pass.py new file mode 100644 index 00000000000..f0e24de967a --- /dev/null +++ b/cdk_integration_tests/src/python/DynamodbRecovery/pass.py @@ -0,0 +1,17 @@ +from aws_cdk import core +from aws_cdk import aws_dynamodb as dynamodb + +class MyDynamoDBStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a DynamoDB table with PointInTimeRecoveryEnabled set to True + dynamodb_table = dynamodb.Table( + self, + "MyDynamoDBTable", + table_name="MyTableName", + partition_key=dynamodb.Attribute(name="PartitionKey", type=dynamodb.AttributeType.STRING), + point_in_time_recovery=True, # Set PointInTimeRecoveryEnabled to True + removal_policy=core.RemovalPolicy.DESTROY, # Specify the removal policy as needed + ) diff --git a/cdk_integration_tests/src/python/EBSEncryption/fail__1__.py b/cdk_integration_tests/src/python/EBSEncryption/fail__1__.py new file mode 100644 index 00000000000..2c5b227bd45 --- /dev/null +++ b/cdk_integration_tests/src/python/EBSEncryption/fail__1__.py @@ -0,0 +1,17 @@ +from aws_cdk import core +from aws_cdk import aws_ec2 as ec2 + +class MyVolumeStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an EBS volume without encryption + ebs_volume = ec2.Volume( + self, + "MyEBSVolume", + availability_zone="us-east-1a", # Replace with your desired availability zone + size=100, # Set the size of the volume as needed + encrypted=False, # Disable encryption (default is False) + volume_type=ec2.EbsDeviceVolumeType.GP2, # Specify the volume type + ) diff --git a/cdk_integration_tests/src/python/EBSEncryption/pass.py b/cdk_integration_tests/src/python/EBSEncryption/pass.py new file mode 100644 index 00000000000..ebbb22a27d0 --- /dev/null +++ b/cdk_integration_tests/src/python/EBSEncryption/pass.py @@ -0,0 +1,17 @@ +from aws_cdk import core +from aws_cdk import aws_ec2 as ec2 + +class MyVolumeStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an EBS volume with encryption enabled + ebs_volume = ec2.Volume( + self, + "MyEBSVolume", + availability_zone="us-east-1a", # Replace with your desired availability zone + size=100, # Set the size of the volume as needed + encrypted=True, # Enable encryption + volume_type=ec2.EbsDeviceVolumeType.GP2, # Specify the volume type + ) diff --git a/cdk_integration_tests/src/python/ECRImageScanning/fail__1__.py b/cdk_integration_tests/src/python/ECRImageScanning/fail__1__.py new file mode 100644 index 00000000000..21a8c860ae9 --- /dev/null +++ b/cdk_integration_tests/src/python/ECRImageScanning/fail__1__.py @@ -0,0 +1,14 @@ +from aws_cdk import core +from aws_cdk import aws_ecr as ecr + +class MyECRStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an ECR repository with image scanning on push enabled + ecr_repository = ecr.Repository( + self, + "MyECRRepository", + repository_name="my-ecr-repo", + ) diff --git a/cdk_integration_tests/src/python/ECRImageScanning/pass.py b/cdk_integration_tests/src/python/ECRImageScanning/pass.py new file mode 100644 index 00000000000..2f157f48559 --- /dev/null +++ b/cdk_integration_tests/src/python/ECRImageScanning/pass.py @@ -0,0 +1,15 @@ +from aws_cdk import core +from aws_cdk import aws_ecr as ecr + +class MyECRStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an ECR repository with image scanning on push enabled + ecr_repository = ecr.Repository( + self, + "MyECRRepository", + repository_name="my-ecr-repo", + image_scan_on_push=True, # Enable image scanning on push + ) diff --git a/cdk_integration_tests/src/python/ECRImmutableTags/fail__1__.py b/cdk_integration_tests/src/python/ECRImmutableTags/fail__1__.py new file mode 100644 index 00000000000..bc6ae0b0749 --- /dev/null +++ b/cdk_integration_tests/src/python/ECRImmutableTags/fail__1__.py @@ -0,0 +1,15 @@ +from aws_cdk import core +from aws_cdk import aws_ecr as ecr + +class MyECRStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an ECR repository with immutable image tags + ecr_repository = ecr.Repository( + self, + "MyECRRepository", + repository_name="my-ecr-repo", + image_tag_mutability=ecr.TagMutability.MUTABLE, # Set image tag mutability to IMMUTABLE + ) diff --git a/cdk_integration_tests/src/python/ECRImmutableTags/pass.py b/cdk_integration_tests/src/python/ECRImmutableTags/pass.py new file mode 100644 index 00000000000..06d1c6e70ac --- /dev/null +++ b/cdk_integration_tests/src/python/ECRImmutableTags/pass.py @@ -0,0 +1,15 @@ +from aws_cdk import core +from aws_cdk import aws_ecr as ecr + +class MyECRStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an ECR repository with immutable image tags + ecr_repository = ecr.Repository( + self, + "MyECRRepository", + repository_name="my-ecr-repo", + image_tag_mutability=ecr.TagMutability.IMMUTABLE, # Set image tag mutability to IMMUTABLE + ) diff --git a/cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/fail__1__.py b/cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/fail__1__.py new file mode 100644 index 00000000000..b040f25df96 --- /dev/null +++ b/cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/fail__1__.py @@ -0,0 +1,25 @@ +from aws_cdk import core +from aws_cdk import aws_elasticache as elasticache + +class ElastiCacheReplicationGroupStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an AWS ElastiCache Replication Group + replication_group = elasticache.CfnReplicationGroup( + self, + "MyElastiCacheReplicationGroup", + replication_group_id="my-replication-group", + replication_group_description="My ElastiCache Replication Group", + cache_node_type="cache.m4.large", + engine="redis", + engine_version="5.0.6", + port=6379, + num_cache_clusters=2, + automatic_failover_enabled=True, + ) + +app = core.App() +ElastiCacheReplicationGroupStack(app, "ElastiCacheReplicationGroupStack") +app.synth() diff --git a/cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/pass.py b/cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/pass.py new file mode 100644 index 00000000000..d53ea874466 --- /dev/null +++ b/cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransit/pass.py @@ -0,0 +1,26 @@ +from aws_cdk import core +from aws_cdk import aws_elasticache as elasticache + +class ElastiCacheReplicationGroupStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an AWS ElastiCache Replication Group + replication_group = elasticache.CfnReplicationGroup( + self, + "MyElastiCacheReplicationGroup", + replication_group_id="my-replication-group", + replication_group_description="My ElastiCache Replication Group", + cache_node_type="cache.m4.large", + engine="redis", + engine_version="5.0.6", + port=6379, + num_cache_clusters=2, + automatic_failover_enabled=True, + transit_encryption_enabled=True # Enable transit encryption + ) + +app = core.App() +ElastiCacheReplicationGroupStack(app, "ElastiCacheReplicationGroupStack") +app.synth() diff --git a/cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/fail__3__.py b/cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/fail__3__.py new file mode 100644 index 00000000000..ffa9d221cee --- /dev/null +++ b/cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/fail__3__.py @@ -0,0 +1,70 @@ +from aws_cdk import core +from aws_cdk import aws_glue as glue + +class GlueCrawlerStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + crawler = glue.CfnCrawler( + self, + "MyCrawler", + name="MyCrawler", + database_name="mydatabase", + role=crawler_role.role_arn, + targets={ + "s3Targets": [ + { + "path": "s3://your-s3-bucket/path/to/crawl", + } + ] + }, + ) + +app = core.App() +GlueCrawlerStack(app, "GlueCrawlerStack") +app.synth() + + +class GlueDevEndpointStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an AWS Glue DevEndpoint + dev_endpoint = glue.CfnDevEndpoint( + self, + "MyDevEndpoint", + role_arn="arn:aws:iam::YOUR_ACCOUNT_ID:role/YourGlueDevEndpointRole", + worker_type="Standard", + glue_version="1.0", + ) + +app = core.App() +GlueDevEndpointStack(app, "GlueDevEndpointStack") +app.synth() + +class GlueJobStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an AWS Glue Job + job = glue.CfnJob( + self, + "MyGlueJob", + command={ + "name": "glueetl", + "pythonVersion": "3" + }, + default_arguments={ + "--job-language": "python" + }, + max_capacity=10, + glue_version="1.0" + ) + +app = core.App() +GlueJobStack(app, "GlueJobStack") +app.synth() + diff --git a/cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/pass.py b/cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/pass.py new file mode 100644 index 00000000000..f370e0fee96 --- /dev/null +++ b/cdk_integration_tests/src/python/GlueSecurityConfigurationEnabled/pass.py @@ -0,0 +1,80 @@ +from aws_cdk import core +from aws_cdk import aws_glue as glue +from aws_cdk import aws_iam as iam + +class GlueCrawlerStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + crawler = glue.CfnCrawler( + self, + "MyCrawler", + name="MyCrawler", + database_name="mydatabase", + role=crawler_role.role_arn, + targets={ + "s3Targets": [ + { + "path": "s3://your-s3-bucket/path/to/crawl", + } + ] + }, + crawler_security_configuration="aaa" + ) + +app = core.App() +GlueCrawlerStack(app, "GlueCrawlerStack") +app.synth() + + +class GlueDevEndpointStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an AWS Glue Security Configuration (You need to create one separately) + security_configuration_name = "MySecurityConfiguration" # Replace with your security config name + + # Create an AWS Glue DevEndpoint + dev_endpoint = glue.CfnDevEndpoint( + self, + "MyDevEndpoint", + role_arn="arn:aws:iam::YOUR_ACCOUNT_ID:role/YourGlueDevEndpointRole", + security_configuration=security_configuration_name, + worker_type="Standard", + glue_version="1.0", + ) + +app = core.App() +GlueDevEndpointStack(app, "GlueDevEndpointStack") +app.synth() + +class GlueJobStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an AWS Glue Security Configuration (You need to create one separately) + security_configuration_name = "MySecurityConfiguration" # Replace with your security config name + + # Create an AWS Glue Job + job = glue.CfnJob( + self, + "MyGlueJob", + command={ + "name": "glueetl", + "pythonVersion": "3" + }, + default_arguments={ + "--job-language": "python" + }, + security_configuration=security_configuration_name, + max_capacity=10, + glue_version="1.0" + ) + +app = core.App() +GlueJobStack(app, "GlueJobStack") +app.synth() + diff --git a/cdk_integration_tests/src/python/LambdaDLQConfigured/fail__2__.py b/cdk_integration_tests/src/python/LambdaDLQConfigured/fail__2__.py new file mode 100644 index 00000000000..ed7b12e80b9 --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaDLQConfigured/fail__2__.py @@ -0,0 +1,51 @@ +from aws_cdk import core +from aws_cdk import aws_lambda as _lambda +from aws_cdk import aws_sqs as sqs +from aws_cdk import aws_sam as sam +class MyLambdaStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create the Dead Letter Queue + dlq = sqs.Queue( + self, + "MyDeadLetterQueue", + visibility_timeout=core.Duration.seconds(300), # Adjust as needed + ) + + # Create the Lambda function with a DLQ + my_lambda_function = _lambda.Function( + self, + "MyLambdaFunction", + runtime=_lambda.Runtime.PYTHON_3_8, + handler="index.handler", + code=_lambda.Code.from_asset("path/to/your/code"), + function_name="my-function-name", + ) + + + +class MySAMLambdaStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create the Dead Letter Queue + dlq = sqs.Queue( + self, + "MyDeadLetterQueue", + visibility_timeout=core.Duration.seconds(300), # Adjust as needed + ) + + # Create the SAM Lambda function with a DLQ + my_sam_lambda_function = sam.CfnFunction( + self, + "MySAMLambdaFunction", + handler="index.handler", + runtime="nodejs14.x", + code_uri="./my-code", + function_name="my-function-name", + ) + + diff --git a/cdk_integration_tests/src/python/LambdaDLQConfigured/pass.py b/cdk_integration_tests/src/python/LambdaDLQConfigured/pass.py new file mode 100644 index 00000000000..094660a1650 --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaDLQConfigured/pass.py @@ -0,0 +1,55 @@ +from aws_cdk import core +from aws_cdk import aws_lambda as _lambda +from aws_cdk import aws_sqs as sqs +from aws_cdk import aws_sam as sam +class MyLambdaStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create the Dead Letter Queue + dlq = sqs.Queue( + self, + "MyDeadLetterQueue", + visibility_timeout=core.Duration.seconds(300), # Adjust as needed + ) + + # Create the Lambda function with a DLQ + my_lambda_function = _lambda.Function( + self, + "MyLambdaFunction", + runtime=_lambda.Runtime.PYTHON_3_8, + handler="index.handler", + code=_lambda.Code.from_asset("path/to/your/code"), + function_name="my-function-name", + dead_letter_queue=dlq, + ) + + + +class MySAMLambdaStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create the Dead Letter Queue + dlq = sqs.Queue( + self, + "MyDeadLetterQueue", + visibility_timeout=core.Duration.seconds(300), # Adjust as needed + ) + + # Create the SAM Lambda function with a DLQ + my_sam_lambda_function = sam.CfnFunction( + self, + "MySAMLambdaFunction", + handler="index.handler", + runtime="nodejs14.x", + code_uri="./my-code", + function_name="my-function-name", + dead_letter_queue=sam.CfnFunction.DeadLetterQueueProperty( + target_arn=dlq.queue_arn + ), + ) + + diff --git a/cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/fail__2__.py b/cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/fail__2__.py new file mode 100644 index 00000000000..b98f35d05d5 --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/fail__2__.py @@ -0,0 +1,37 @@ +from aws_cdk import core +from aws_cdk.aws_lambda import Function, Runtime, Code +from aws_cdk.aws_sam import CfnFunction + +class MyLambdaStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + my_lambda_function = Function( + self, + "MyLambdaFunction", + runtime=Runtime.PYTHON_3_8, # Set the Lambda function's runtime + handler="index.handler", # Specify the Lambda handler + code=Code.from_asset("path/to/your/code"), # Define the code location + function_name="my-function-name", # Optionally set the function name + role=my_lambda_execution_role, # Provide an IAM role for the function + timeout=core.Duration.seconds(10), # Set the function timeout + ) +class MyLambdaStack2(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + my_lambda_function = CfnFunction( + self, + "MyLambdaFunction", + handler="index.handler", # Specify the Lambda handler + runtime="nodejs14.x", # Set the Lambda function's runtime + code_uri="./my-code", # Specify the location of your code + function_name="my-function-name", # Optionally set the function name + role=my_lambda_execution_role, # Provide an IAM role for the function + timeout=10, # Set the function timeout + ) + + # You can add other configurations and permissions for your Lambda function here + diff --git a/cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/pass.py b/cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/pass.py new file mode 100644 index 00000000000..0cd89e4e1f9 --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaFunctionLevelConcurrentExecutionLimit/pass.py @@ -0,0 +1,39 @@ +from aws_cdk import core +from aws_cdk.aws_lambda import Function, Runtime, Code +from aws_cdk.aws_sam import CfnFunction + +class MyLambdaStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + my_lambda_function = Function( + self, + "MyLambdaFunction", + runtime=Runtime.PYTHON_3_8, # Set the Lambda function's runtime + handler="index.handler", # Specify the Lambda handler + code=Code.from_asset("path/to/your/code"), # Define the code location + function_name="my-function-name", # Optionally set the function name + role=my_lambda_execution_role, # Provide an IAM role for the function + timeout=core.Duration.seconds(10), # Set the function timeout + reserved_concurrent_executions=5 + ) +class MyLambdaStack2(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + my_lambda_function = CfnFunction( + self, + "MyLambdaFunction", + handler="index.handler", # Specify the Lambda handler + runtime="nodejs14.x", # Set the Lambda function's runtime + code_uri="./my-code", # Specify the location of your code + function_name="my-function-name", # Optionally set the function name + role=my_lambda_execution_role, # Provide an IAM role for the function + timeout=10, # Set the function timeout + reserved_concurrent_executions=5 + ) + + # You can add other configurations and permissions for your Lambda function here + diff --git a/cdk_integration_tests/src/python/LambdaInVPC/fail__2__.py b/cdk_integration_tests/src/python/LambdaInVPC/fail__2__.py new file mode 100644 index 00000000000..605d80c58df --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaInVPC/fail__2__.py @@ -0,0 +1,43 @@ +from aws_cdk import core +from aws_cdk import aws_lambda as _lambda +from aws_cdk import aws_ec2 as ec2 +from aws_cdk import aws_sam as sam + +class MyLambdaStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a Lambda function in the VPC + my_lambda_function = _lambda.Function( + self, + "MyLambdaFunction", + runtime=_lambda.Runtime.PYTHON_3_8, + handler="index.handler", + code=_lambda.Code.from_asset("path/to/your/code"), + function_name="my-function-name", + security_group=my_vpc.vpc_default_security_group, + allow_public_subnet=False, # Set to True if you want public subnets + ) + +class MySAMLambdaStack2(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a custom VPC + my_vpc = ec2.Vpc( + self, + "MyVPC", + max_azs=2, # Set the number of Availability Zones as needed + ) + + # Define the Serverless::Function within the VPC + my_sam_lambda_function = sam.CfnFunction( + self, + "MySAMLambdaFunction", + handler="index.handler", + runtime="nodejs14.x", + code_uri="./my-code", + ) + diff --git a/cdk_integration_tests/src/python/LambdaInVPC/pass.py b/cdk_integration_tests/src/python/LambdaInVPC/pass.py new file mode 100644 index 00000000000..100a11f77bb --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaInVPC/pass.py @@ -0,0 +1,58 @@ +from aws_cdk import core +from aws_cdk import aws_lambda as _lambda +from aws_cdk import aws_ec2 as ec2 +from aws_cdk import aws_sam as sam + +class MyLambdaStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a VPC + my_vpc = ec2.Vpc( + self, + "MyVPC", + max_azs=2, # Set the number of Availability Zones as needed + ) + + # Create a Lambda function in the VPC + my_lambda_function = _lambda.Function( + self, + "MyLambdaFunction", + runtime=_lambda.Runtime.PYTHON_3_8, + handler="index.handler", + code=_lambda.Code.from_asset("path/to/your/code"), + function_name="my-function-name", + vpc=my_vpc, + security_group=my_vpc.vpc_default_security_group, + allow_public_subnet=False, # Set to True if you want public subnets + ) + +class MySAMLambdaStack2(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a custom VPC + my_vpc = ec2.Vpc( + self, + "MyVPC", + max_azs=2, # Set the number of Availability Zones as needed + ) + + # Define the Serverless::Function within the VPC + my_sam_lambda_function = sam.CfnFunction( + self, + "MySAMLambdaFunction", + handler="index.handler", + runtime="nodejs14.x", + code_uri="./my-code", + function_name="my-function-name", + vpc_config=sam.CfnFunction.VpcConfigProperty( + security_group_ids=[my_vpc.vpc_default_security_group], + subnet_ids=my_vpc.select_subnets( + subnet_group_name="your-subnet-group-name" + ).subnet_ids, + ), + ) + diff --git a/cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py b/cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py new file mode 100644 index 00000000000..84a5cbf202b --- /dev/null +++ b/cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py @@ -0,0 +1,41 @@ +from aws_cdk import core +from aws_cdk import aws_neptune as neptune + +class MyNeptuneStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a Neptune DB cluster with storage encryption enabled + neptune_cluster = neptune.CfnDBCluster( + self, + "MyNeptuneCluster", + engine="neptune", + db_cluster_identifier="my-neptune-cluster", + master_username="admin", + master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret + storage_encrypted=False, # Enable storage encryption + port=8182, # Specify the port as needed + availability_zones=["us-east-1a", "us-east-1b"], # Specify the availability zones + ) + +class MyNeptuneStack2(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a Neptune DB cluster with storage encryption enabled + neptune_cluster = neptune.DatabaseCluster( + self, + "MyNeptuneCluster", + engine=neptune.DatabaseClusterEngine.NEPTUNE, + master_user=neptune.Login( + username="admin", + password="mypassword", # checkov:skip=CKV_SECRET_6 test secret + ), + default_database_name="mydb", + removal_policy=core.RemovalPolicy.DESTROY, # Set the removal policy as needed + vpc=your_vpc, # Specify the VPC where the cluster should be deployed + instances=1, # Specify the number of instances + ) + diff --git a/cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py b/cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py new file mode 100644 index 00000000000..0150bbbc47f --- /dev/null +++ b/cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py @@ -0,0 +1,42 @@ +from aws_cdk import core +from aws_cdk import aws_neptune as neptune + +class MyNeptuneStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a Neptune DB cluster with storage encryption enabled + neptune_cluster = neptune.CfnDBCluster( + self, + "MyNeptuneCluster", + engine="neptune", + db_cluster_identifier="my-neptune-cluster", + master_username="admin", + master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret + storage_encrypted=True, # Enable storage encryption + port=8182, # Specify the port as needed + availability_zones=["us-east-1a", "us-east-1b"], # Specify the availability zones + ) + +class MyNeptuneStack2(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a Neptune DB cluster with storage encryption enabled + neptune_cluster = neptune.DatabaseCluster( + self, + "MyNeptuneCluster", + engine=neptune.DatabaseClusterEngine.NEPTUNE, + master_user=neptune.Login( + username="admin", + password="mypassword", # checkov:skip=CKV_SECRET_6 test secret + ), + default_database_name="mydb", + storage_encrypted=True, # Enable storage encryption + removal_policy=core.RemovalPolicy.DESTROY, # Set the removal policy as needed + vpc=your_vpc, # Specify the VPC where the cluster should be deployed + instances=1, # Specify the number of instances + ) + diff --git a/cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py b/cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py new file mode 100644 index 00000000000..82b55cf8ab1 --- /dev/null +++ b/cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py @@ -0,0 +1,22 @@ +from aws_cdk import core +from aws_cdk import aws_redshift as redshift + +class RedshiftClusterStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an Amazon Redshift cluster + redshift_cluster = redshift.CfnCluster( + self, + "MyRedshiftCluster", + cluster_identifier="my-redshift-cluster", + master_username="admin", + master_user_password="MySecurePassword123", # checkov:skip=CKV_SECRET_6 test secret + node_type="dc2.large", + cluster_type="single-node", + ) + +app = core.App() +RedshiftClusterStack(app, "RedshiftClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py b/cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py new file mode 100644 index 00000000000..faab7ce6907 --- /dev/null +++ b/cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py @@ -0,0 +1,23 @@ +from aws_cdk import core +from aws_cdk import aws_redshift as redshift + +class RedshiftClusterStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an Amazon Redshift cluster + redshift_cluster = redshift.CfnCluster( + self, + "MyRedshiftCluster", + cluster_identifier="my-redshift-cluster", + master_username="admin", + master_user_password="MySecurePassword123", # checkov:skip=CKV_SECRET_6 test secret + node_type="dc2.large", + cluster_type="single-node", + encrypted=True # Enable encryption + ) + +app = core.App() +RedshiftClusterStack(app, "RedshiftClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/S3BlockPublicACLs/fail__2__.py b/cdk_integration_tests/src/python/S3BlockPublicACLs/fail__2__.py new file mode 100644 index 00000000000..59efcbca905 --- /dev/null +++ b/cdk_integration_tests/src/python/S3BlockPublicACLs/fail__2__.py @@ -0,0 +1,37 @@ +from aws_cdk import core +from aws_cdk import aws_s3 as s3 + +class S3BucketWithBlockPublicAclsStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + s3.Bucket( + self, + "MyBucket", + block_public_access=s3.BlockPublicAccess(block_public_acls=False) + ) + +app = core.App() +S3BucketWithBlockPublicAclsStack(app, "S3BucketWithBlockPublicAclsStack") +app.synth() + +class S3BucketWithBlockPublicAclsStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + s3.CfnBucket( + self, + "MyBucket", + public_access_block_configuration={ + "blockPublicAcls": False, + "blockPublicPolicy": True, + "ignorePublicAcls": True, + "restrictPublicBuckets": True + } + ) + +app = core.App() +S3BucketWithBlockPublicAclsStack(app, "S3BucketWithBlockPublicAclsStack") +app.synth() diff --git a/cdk_integration_tests/src/python/S3BlockPublicACLs/pass.py b/cdk_integration_tests/src/python/S3BlockPublicACLs/pass.py new file mode 100644 index 00000000000..275706aa6cd --- /dev/null +++ b/cdk_integration_tests/src/python/S3BlockPublicACLs/pass.py @@ -0,0 +1,39 @@ +from aws_cdk import core +from aws_cdk import aws_s3 as s3 + +class S3BucketWithBlockPublicAclsStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + s3.CfnBucket( + self, + "MyBucket", + public_access_block_configuration={ + "blockPublicAcls": True, + "blockPublicPolicy": True, + "ignorePublicAcls": True, + "restrictPublicBuckets": True + } + ) + +app = core.App() +S3BucketWithBlockPublicAclsStack(app, "S3BucketWithBlockPublicAclsStack") +app.synth() + + + +class S3BucketWithBlockPublicAclsStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + s3.Bucket( + self, + "MyBucket", + block_public_access=s3.BlockPublicAccess(block_public_acls=True) + ) + +app = core.App() +S3BucketWithBlockPublicAclsStack(app, "S3BucketWithBlockPublicAclsStack") +app.synth() diff --git a/cdk_integration_tests/src/python/S3PublicACLWrite/fail__2__.py b/cdk_integration_tests/src/python/S3PublicACLWrite/fail__2__.py new file mode 100644 index 00000000000..eeeba759996 --- /dev/null +++ b/cdk_integration_tests/src/python/S3PublicACLWrite/fail__2__.py @@ -0,0 +1,25 @@ +from constructs import Construct +from aws_cdk import App, Stack +from aws_cdk import ( + aws_s3 as s3 +) + + +class MyS3Stack(Stack): + + def __init__(self, scope: Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + bucket2 = s3.Bucket(self, "MyPublicReadBucket2", + bucket_name="my-public-read-bucket2", + access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE + ) + + bucket3 = s3.Bucket(self, "MyPublicReadBucket3", + bucket_name="my-public-read-bucket3", + public_read_access=True + ) + +app = App() +MyS3Stack(app, "MyS3Stack") +app.synth() \ No newline at end of file diff --git a/cdk_integration_tests/src/python/S3PublicACLWrite/pass.py b/cdk_integration_tests/src/python/S3PublicACLWrite/pass.py new file mode 100644 index 00000000000..ca6ab9be235 --- /dev/null +++ b/cdk_integration_tests/src/python/S3PublicACLWrite/pass.py @@ -0,0 +1,24 @@ +from constructs import Construct +from aws_cdk import App, Stack +from aws_cdk import ( + aws_s3 as s3 +) + + +class MyS3Stack(Stack): + + def __init__(self, scope: Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + bucket = s3.Bucket(self, "MyPublicReadBucket", + bucket_name="my-public-read-bucket" + ) + + bucket2 = s3.Bucket(self, "MyPublicReadBucket2", + bucket_name="my-public-read-bucket2", + access_control=s3.BucketAccessControl.PRIVATE + ) + +app = App() +MyS3Stack(app, "MyS3Stack") +app.synth() diff --git a/cdk_integration_tests/src/python/S3RestrictPublicBuckets/fail__2__.py b/cdk_integration_tests/src/python/S3RestrictPublicBuckets/fail__2__.py new file mode 100644 index 00000000000..ff5e4be6649 --- /dev/null +++ b/cdk_integration_tests/src/python/S3RestrictPublicBuckets/fail__2__.py @@ -0,0 +1,46 @@ +from aws_cdk import core +from aws_cdk import aws_s3 as s3 + +class S3BucketWithPublicAccessStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + s3.Bucket( + self, + "aaa", + versioned=False, # You can enable versioning if needed + removal_policy=core.RemovalPolicy.DESTROY, # Change this according to your retention policy + block_public_acls=True, + block_public_policy=True, + ignore_public_acls=True, + restrict_public_buckets=False + ) + +app = core.App() +S3BucketWithPublicAccessStack(app, "S3BucketWithPublicAccessStack") +app.synth() + +class PublicS3BucketStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a CloudFormation S3 bucket resource + public_bucket = s3.CfnBucket( + self, + "PublicBucket", + versioning_configuration={ + "status": "Suspended" # You can enable versioning if needed + }, + public_access_block_configuration={ + "blockPublicAcls": True, + "blockPublicPolicy": True, + "ignorePublicAcls": True, + "restrictPublicBuckets": False + } + ) + +app = core.App() +PublicS3BucketStack(app, "PublicS3BucketStack") +app.synth() + diff --git a/cdk_integration_tests/src/python/S3RestrictPublicBuckets/pass.py b/cdk_integration_tests/src/python/S3RestrictPublicBuckets/pass.py new file mode 100644 index 00000000000..ce1c5a10830 --- /dev/null +++ b/cdk_integration_tests/src/python/S3RestrictPublicBuckets/pass.py @@ -0,0 +1,46 @@ +from aws_cdk import core +from aws_cdk import aws_s3 as s3 + +class S3BucketWithPublicAccessStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + s3.Bucket( + self, + "aaa", + versioned=False, # You can enable versioning if needed + removal_policy=core.RemovalPolicy.DESTROY, # Change this according to your retention policy + block_public_acls=True, + block_public_policy=True, + ignore_public_acls=True, + restrict_public_buckets=True + ) + +app = core.App() +S3BucketWithPublicAccessStack(app, "S3BucketWithPublicAccessStack") +app.synth() + +class PublicS3BucketStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a CloudFormation S3 bucket resource + public_bucket = s3.CfnBucket( + self, + "PublicBucket", + versioning_configuration={ + "status": "Suspended" # You can enable versioning if needed + }, + public_access_block_configuration={ + "blockPublicAcls": True, + "blockPublicPolicy": True, + "ignorePublicAcls": True, + "restrictPublicBuckets": True + } + ) + +app = core.App() +PublicS3BucketStack(app, "PublicS3BucketStack") +app.synth() + diff --git a/cdk_integration_tests/src/python/SQSQueueEncryption/fail__2__.py b/cdk_integration_tests/src/python/SQSQueueEncryption/fail__2__.py new file mode 100644 index 00000000000..05f876d8aa1 --- /dev/null +++ b/cdk_integration_tests/src/python/SQSQueueEncryption/fail__2__.py @@ -0,0 +1,32 @@ +from aws_cdk import core +from aws_cdk import aws_sqs as sqs +class SqsQueueWithKmsKeyStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create an SQS queue with KMS encryption + queue = sqs.Queue(self, "MySqsQueue", + encryption=sqs.QueueEncryption.KMS, + visibility_timeout=300 # Other properties for the queue + ) + +app = core.App() +SqsQueueWithKmsKeyStack(app, "SqsQueueWithKmsKeyStack") +app.synth() + + + +class SqsQueueWithKmsKeyIdStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define an SQS queue with a specific KmsMasterKeyId + queue = sqs.CfnQueue(self, "MySqsQueue", + visibility_timeout=300 # Other properties for the queue + ) + +app = core.App() +SqsQueueWithKmsKeyIdStack(app, "SqsQueueWithKmsKeyIdStack") +app.synth() diff --git a/cdk_integration_tests/src/python/SQSQueueEncryption/pass.py b/cdk_integration_tests/src/python/SQSQueueEncryption/pass.py new file mode 100644 index 00000000000..2cdbd3005ae --- /dev/null +++ b/cdk_integration_tests/src/python/SQSQueueEncryption/pass.py @@ -0,0 +1,45 @@ +from aws_cdk import core +from aws_cdk import aws_sqs as sqs +from aws_cdk import aws_kms as kms +from aws_cdk import aws_cloudformation as cfn +class SqsQueueWithKmsKeyStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a KMS key for encryption + kms_key = kms.Key(self, "MyKmsKey", enable_key_rotation=True) + + # Create an SQS queue with KMS encryption + queue = sqs.Queue(self, "MySqsQueue", + encryption=sqs.QueueEncryption.KMS, + encryption_master_key=kms_key, + visibility_timeout=300 # Other properties for the queue + ) + +app = core.App() +SqsQueueWithKmsKeyStack(app, "SqsQueueWithKmsKeyStack") +app.synth() + + + +class SqsQueueWithKmsKeyIdStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define a custom KMS key + kms_key = cfn.CfnCustomResource(self, "MyKmsKeyResource", + service_token="arn:aws:lambda:::function/", + # Add other properties as needed + ) + + # Define an SQS queue with a specific KmsMasterKeyId + queue = sqs.CfnQueue(self, "MySqsQueue", + kms_master_key_id=kms_key.get_att("KmsKeyId"), + visibility_timeout=300 # Other properties for the queue + ) + +app = core.App() +SqsQueueWithKmsKeyIdStack(app, "SqsQueueWithKmsKeyIdStack") +app.synth() diff --git a/cdk_integration_tests/src/python/WAFEnabled/fail__1__.py b/cdk_integration_tests/src/python/WAFEnabled/fail__1__.py new file mode 100644 index 00000000000..035ec68ebf2 --- /dev/null +++ b/cdk_integration_tests/src/python/WAFEnabled/fail__1__.py @@ -0,0 +1,23 @@ +from aws_cdk import core +from aws_cdk import aws_cloudfront as cloudfront + +class CloudFrontDistributionStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a CloudFront distribution + distribution = cloudfront.CfnDistribution( + self, + "MyCloudFrontDistribution", + distribution_config={ + "defaultCacheBehavior": { + # Configure your cache behavior as needed + }, + "enabled": True, + } + ) + +app = core.App() +CloudFrontDistributionStack(app, "CloudFrontDistributionStack") +app.synth() diff --git a/cdk_integration_tests/src/python/WAFEnabled/pass.py b/cdk_integration_tests/src/python/WAFEnabled/pass.py new file mode 100644 index 00000000000..40e03414d83 --- /dev/null +++ b/cdk_integration_tests/src/python/WAFEnabled/pass.py @@ -0,0 +1,35 @@ +from aws_cdk import core +from aws_cdk import aws_cloudfront as cloudfront +from aws_cdk import aws_wafv2 as wafv2 + +class CloudFrontDistributionStack(core.Stack): + + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a WebACL + web_acl = wafv2.CfnWebACL( + self, + "MyWebACL", + default_action={ + "allow": {} + }, + # Configure your WebACL as needed + ) + + # Create a CloudFront distribution + distribution = cloudfront.CfnDistribution( + self, + "MyCloudFrontDistribution", + distribution_config={ + "defaultCacheBehavior": { + # Configure your cache behavior as needed + }, + "enabled": True, + "webAclId": web_acl.attr_arn # Set the WebACL association + } + ) + +app = core.App() +CloudFrontDistributionStack(app, "CloudFrontDistributionStack") +app.synth() diff --git a/cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/fail__1__.py b/cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/fail__1__.py new file mode 100644 index 00000000000..37de49de9ae --- /dev/null +++ b/cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/fail__1__.py @@ -0,0 +1,28 @@ +from aws_cdk import core +from aws_cdk import aws_workspaces as workspaces + +class WorkSpacesStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a WorkSpaces directory + directory = workspaces.CfnWorkspaceDirectory( + self, "MyWorkspaceDirectory", + directory_name="my-workspace-directory", + subnet_ids=["subnet-12345678"], # Replace with your subnet IDs + self_service_permissions="ENABLED", + ) + + # Create a WorkSpaces workspace with root volume encryption enabled + workspace = workspaces.CfnWorkspace( + self, "MyWorkspace", + bundle_id="wsb-12345678", # Replace with your bundle ID + user_name="my-user", + root_volume_encryption_enabled=False, + user_volume_encryption_enabled=False, # Set to True if you want user volume encryption + workspace_properties={"directoryId": directory.ref}, + ) + +app = core.App() +WorkSpacesStack(app, "WorkSpacesStack") +app.synth() diff --git a/cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/pass.py b/cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/pass.py new file mode 100644 index 00000000000..adc331d5e4d --- /dev/null +++ b/cdk_integration_tests/src/python/WorkspaceRootVolumeEncrypted/pass.py @@ -0,0 +1,28 @@ +from aws_cdk import core +from aws_cdk import aws_workspaces as workspaces + +class WorkSpacesStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a WorkSpaces directory + directory = workspaces.CfnWorkspaceDirectory( + self, "MyWorkspaceDirectory", + directory_name="my-workspace-directory", + subnet_ids=["subnet-12345678"], # Replace with your subnet IDs + self_service_permissions="ENABLED", + ) + + # Create a WorkSpaces workspace with root volume encryption enabled + workspace = workspaces.CfnWorkspace( + self, "MyWorkspace", + bundle_id="wsb-12345678", # Replace with your bundle ID + user_name="my-user", + root_volume_encryption_enabled=True, + user_volume_encryption_enabled=False, # Set to True if you want user volume encryption + workspace_properties={"directoryId": directory.ref}, + ) + +app = core.App() +WorkSpacesStack(app, "WorkSpacesStack") +app.synth() diff --git a/cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/fail__1__.py b/cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/fail__1__.py new file mode 100644 index 00000000000..688de65bf2a --- /dev/null +++ b/cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/fail__1__.py @@ -0,0 +1,28 @@ +from aws_cdk import core +from aws_cdk import aws_workspaces as workspaces + +class WorkSpacesStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a WorkSpaces directory + directory = workspaces.CfnWorkspaceDirectory( + self, "MyWorkspaceDirectory", + directory_name="my-workspace-directory", + subnet_ids=["subnet-12345678"], # Replace with your subnet IDs + self_service_permissions="ENABLED", + ) + + # Create a WorkSpaces workspace with root volume encryption enabled + workspace = workspaces.CfnWorkspace( + self, "MyWorkspace", + bundle_id="wsb-12345678", # Replace with your bundle ID + user_name="my-user", + root_volume_encryption_enabled=False, + user_volume_encryption_enabled=False, + workspace_properties={"directoryId": directory.ref}, + ) + +app = core.App() +WorkSpacesStack(app, "WorkSpacesStack") +app.synth() diff --git a/cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/pass.py b/cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/pass.py new file mode 100644 index 00000000000..618e0afb06f --- /dev/null +++ b/cdk_integration_tests/src/python/WorkspaceUserVolumeEncrypted/pass.py @@ -0,0 +1,28 @@ +from aws_cdk import core +from aws_cdk import aws_workspaces as workspaces + +class WorkSpacesStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Create a WorkSpaces directory + directory = workspaces.CfnWorkspaceDirectory( + self, "MyWorkspaceDirectory", + directory_name="my-workspace-directory", + subnet_ids=["subnet-12345678"], # Replace with your subnet IDs + self_service_permissions="ENABLED", + ) + + # Create a WorkSpaces workspace with root volume encryption enabled + workspace = workspaces.CfnWorkspace( + self, "MyWorkspace", + bundle_id="wsb-12345678", # Replace with your bundle ID + user_name="my-user", + root_volume_encryption_enabled=True, + user_volume_encryption_enabled=True, + workspace_properties={"directoryId": directory.ref}, + ) + +app = core.App() +WorkSpacesStack(app, "WorkSpacesStack") +app.synth() diff --git a/cdk_integration_tests/test_checks_python.py b/cdk_integration_tests/test_checks_python.py index 31fc2f528a0..1bbe3716d0e 100644 --- a/cdk_integration_tests/test_checks_python.py +++ b/cdk_integration_tests/test_checks_python.py @@ -35,3 +35,95 @@ def test_CKV_AWS_20_S3PublicACLRead(): def test_CKV_AWS_55_S3IgnorePublicACLs(): run_check(lang='python', check_name="S3IgnorePublicACLs") + + +def test_CKV_AWS_56_S3RestrictPublicBuckets(): + run_check(lang='python', check_name="S3RestrictPublicBuckets") + + +def test_CKV_AWS_53_S3BlockPublicACLs(): + run_check(lang='python', check_name="S3BlockPublicACLs") + + +def test_CKV_AWS_57_S3PublicACLWrite(): + run_check(lang='python', check_name="S3PublicACLWrite") + + +def test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(): + run_check(lang='python', check_name="LambdaFunctionLevelConcurrentExecutionLimit") + + +def test_CKV_AWS_116_LambdaDLQConfigured(): + run_check(lang='python', check_name="LambdaDLQConfigured") + + +def test_CKV_AWS_28_DynamodbRecovery(): + run_check(lang='python', check_name="DynamodbRecovery") + + +def test_CKV_AWS_158_CloudWatchLogGroupKMSKey(): + run_check(lang='python', check_name="CloudWatchLogGroupKMSKey") + + +def test_CKV_AWS_3_EBSEncryption(): + run_check(lang='python', check_name="EBSEncryption") + + +def test_CKV_AWS_120_APIGatewayCacheEnable(): + run_check(lang='python', check_name="APIGatewayCacheEnable") + + +def test_CKV_AWS_163_ECRImageScanning(): + run_check(lang='python', check_name="ECRImageScanning") + + +def test_CKV_AWS_51_ECRImmutableTags(): + run_check(lang='python', check_name="ECRImmutableTags") + + +def test_CKV_AWS_44_NeptuneClusterStorageEncrypted(): + run_check(lang='python', check_name="NeptuneClusterStorageEncrypted") + + +def test_CKV_AWS_166_BackupVaultEncrypted(): + run_check(lang='python', check_name="BackupVaultEncrypted") + + +def test_CKV_AWS_74_DocDBEncryption(): + run_check(lang='python', check_name="DocDBEncryption") + + +def test_CKV_AWS_47_DAXEncryption(): + run_check(lang='python', check_name="DAXEncryption") + + +def test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(): + run_check(lang='python', check_name="WorkspaceRootVolumeEncrypted") + + +def test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(): + run_check(lang='python', check_name="WorkspaceUserVolumeEncrypted") + + +def test_CKV_AWS_165_DynamodbGlobalTableRecovery(): + run_check(lang='python', check_name="DynamodbGlobalTableRecovery") + + +def test_CKV_AWS_27_SQSQueueEncryption(): + run_check(lang='python', check_name="SQSQueueEncryption") + + +def test_CKV_AWS_195_GlueSecurityConfigurationEnabled(): + run_check(lang='python', check_name="GlueSecurityConfigurationEnabled") + + +def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(): + run_check(lang='python', check_name="ElasticacheReplicationGroupEncryptionAtTransit") + + +def test_CKV_AWS_68_WAFEnabled(): + run_check(lang='python', check_name="WAFEnabled") + + +def test_CKV_AWS_64_RedshiftClusterEncryption(): + run_check(lang='python', check_name="RedshiftClusterEncryption") diff --git a/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py b/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py index 4a04c534760..9c6853e3061 100644 --- a/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py +++ b/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py @@ -1,16 +1,20 @@ +from __future__ import annotations + +from typing import Any + from checkov.common.models.enums import CheckResult, CheckCategories from checkov.arm.base_parameter_check import BaseParameterCheck class SecureStringParameterNoHardcodedValue(BaseParameterCheck): - def __init__(self): + def __init__(self) -> None: name = "SecureString parameter should not have hardcoded default values" id = "CKV_AZURE_131" - supported_resources = ['secureString'] - categories = [CheckCategories.SECRETS] + supported_resources = ('secureString',) + categories = (CheckCategories.SECRETS,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: # https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/test-cases#secure-parameters-cant-have-hardcoded-default default_value = conf.get('defaultValue') if default_value: # should be missing, or an empty string diff --git a/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py b/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py index 12b3387ae77..59b8edcc663 100644 --- a/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py +++ b/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py @@ -1,21 +1,28 @@ +from typing import Any + from checkov.common.models.consts import ANY_VALUE from checkov.common.models.enums import CheckCategories, CheckResult from checkov.arm.base_resource_value_check import BaseResourceValueCheck class APIServicesUseVirtualNetwork(BaseResourceValueCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure that API management services use virtual networks" id = "CKV_AZURE_107" - supported_resources = ['Microsoft.ApiManagement/service'] - categories = [CheckCategories.NETWORKING] - super().__init__(name=name, id=id, categories=categories, - supported_resources=supported_resources, missing_block_result=CheckResult.FAILED) + supported_resources = ("Microsoft.ApiManagement/service",) + categories = (CheckCategories.NETWORKING,) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + missing_block_result=CheckResult.FAILED, + ) - def get_inspected_key(self): + def get_inspected_key(self) -> str: return "properties/virtualNetworkConfiguration" - def get_expected_value(self): + def get_expected_value(self) -> Any: return ANY_VALUE diff --git a/checkov/arm/checks/resource/AppServiceHttps20Enabled.py b/checkov/arm/checks/resource/AppServiceHttps20Enabled.py index ed6403e0b7c..411a2486e19 100644 --- a/checkov/arm/checks/resource/AppServiceHttps20Enabled.py +++ b/checkov/arm/checks/resource/AppServiceHttps20Enabled.py @@ -1,24 +1,23 @@ -from checkov.common.models.enums import CheckResult, CheckCategories -from checkov.arm.base_resource_check import BaseResourceCheck +from typing import Any -# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites +from checkov.arm.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories -class AppServiceHttps20Enabled(BaseResourceCheck): - def __init__(self): +class AppServiceHttps20Enabled(BaseResourceValueCheck): + def __init__(self) -> None: name = "Ensure that 'HTTP Version' is the latest if used to run the web app" id = "CKV_AZURE_18" - supported_resources = ["Microsoft.Web/sites"] - categories = [CheckCategories.NETWORKING] + supported_resources = ("Microsoft.Web/sites",) + categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): - properties = conf.get("properties") - if isinstance(properties, dict): - site_config = properties.get("siteConfig") - if isinstance(site_config, dict) and site_config.get("http20Enabled"): - return CheckResult.PASSED - return CheckResult.FAILED + def get_inspected_key(self) -> str: + # https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites + return "properties/siteConfig/http20Enabled" + + def get_expected_value(self) -> Any: + return "true" check = AppServiceHttps20Enabled() diff --git a/checkov/arm/checks/resource/AppServiceMinTLSVersion.py b/checkov/arm/checks/resource/AppServiceMinTLSVersion.py index 53cf6d97a30..4ad8978e35c 100644 --- a/checkov/arm/checks/resource/AppServiceMinTLSVersion.py +++ b/checkov/arm/checks/resource/AppServiceMinTLSVersion.py @@ -1,24 +1,23 @@ -from checkov.common.models.enums import CheckResult, CheckCategories -from checkov.arm.base_resource_check import BaseResourceCheck +from typing import Any -# https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites +from checkov.arm.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories -class AppServiceMinTLSVersion(BaseResourceCheck): - def __init__(self): +class AppServiceMinTLSVersion(BaseResourceValueCheck): + def __init__(self) -> None: name = "Ensure web app is using the latest version of TLS encryption" id = "CKV_AZURE_15" - supported_resources = ["Microsoft.Web/sites"] - categories = [CheckCategories.NETWORKING] + supported_resources = ("Microsoft.Web/sites",) + categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): - properties = conf.get("properties") - if isinstance(properties, dict): - site_config = properties.get("siteConfig") - if isinstance(site_config, dict) and site_config.get("minTlsVersion") == "1.2": - return CheckResult.PASSED - return CheckResult.FAILED + def get_inspected_key(self) -> str: + # https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites + return "properties/siteConfig/minTlsVersion" + + def get_expected_value(self) -> Any: + return "1.2" check = AppServiceMinTLSVersion() diff --git a/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py b/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py index 02800bd9e6b..98b6e244572 100644 --- a/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py +++ b/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py @@ -1,21 +1,25 @@ +from typing import Any + from checkov.common.models.consts import ANY_VALUE from checkov.common.models.enums import CheckCategories from checkov.arm.base_resource_value_check import BaseResourceValueCheck class AzureManagedDiskEncryptionSet(BaseResourceValueCheck): - def __init__(self): - name = "Ensure that managed disks use a specific set of disk encryption sets for the " \ - "customer-managed key encryption" + def __init__(self) -> None: + name = ( + "Ensure that managed disks use a specific set of disk encryption sets for the " + "customer-managed key encryption" + ) id = "CKV_AZURE_93" - supported_resources = ['Microsoft.Compute/disks'] - categories = [CheckCategories.ENCRYPTION] + supported_resources = ("Microsoft.Compute/disks",) + categories = (CheckCategories.ENCRYPTION,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self): - return 'properties/encryption/diskEncryptionSetId' + def get_inspected_key(self) -> str: + return "properties/encryption/diskEncryptionSetId" - def get_expected_value(self): + def get_expected_value(self) -> Any: return ANY_VALUE diff --git a/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py b/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py index 2d2d854a33f..dd030fcde30 100644 --- a/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py +++ b/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py @@ -1,19 +1,21 @@ +from typing import Any + from checkov.common.models.enums import CheckCategories from checkov.arm.base_resource_value_check import BaseResourceValueCheck class CognitiveServicesDisablesPublicNetwork(BaseResourceValueCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure that Cognitive Services accounts disable public network access" id = "CKV_AZURE_134" - supported_resources = ['Microsoft.CognitiveServices/accounts'] - categories = [CheckCategories.NETWORKING] + supported_resources = ("Microsoft.CognitiveServices/accounts",) + categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self): - return 'properties/publicNetworkAccess' + def get_inspected_key(self) -> str: + return "properties/publicNetworkAccess" - def get_expected_value(self): + def get_expected_value(self) -> Any: return "Disabled" diff --git a/checkov/arm/checks/resource/CosmosDBHaveCMK.py b/checkov/arm/checks/resource/CosmosDBHaveCMK.py index d05125b7361..124833899fb 100644 --- a/checkov/arm/checks/resource/CosmosDBHaveCMK.py +++ b/checkov/arm/checks/resource/CosmosDBHaveCMK.py @@ -1,20 +1,22 @@ +from typing import Any + from checkov.common.models.consts import ANY_VALUE from checkov.common.models.enums import CheckCategories from checkov.arm.base_resource_value_check import BaseResourceValueCheck class CosmosDBHaveCMK(BaseResourceValueCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest" id = "CKV_AZURE_100" - supported_resources = ['Microsoft.DocumentDb/databaseAccounts'] - categories = [CheckCategories.NETWORKING] + supported_resources = ("Microsoft.DocumentDb/databaseAccounts",) + categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self): - return 'properties/keyVaultKeyUri' + def get_inspected_key(self) -> str: + return "properties/keyVaultKeyUri" - def get_expected_value(self): + def get_expected_value(self) -> Any: return ANY_VALUE diff --git a/checkov/arm/checks/resource/KeyBackedByHSM.py b/checkov/arm/checks/resource/KeyBackedByHSM.py index 5fe2a02290f..23cc9602bd5 100644 --- a/checkov/arm/checks/resource/KeyBackedByHSM.py +++ b/checkov/arm/checks/resource/KeyBackedByHSM.py @@ -1,23 +1,27 @@ +from __future__ import annotations + +from typing import Any + from checkov.common.models.enums import CheckCategories from checkov.arm.base_resource_value_check import BaseResourceValueCheck class KeyBackedByHSM(BaseResourceValueCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure that key vault key is backed by HSM" id = "CKV_AZURE_112" - supported_resources = ['Microsoft.KeyVault/vaults/keys'] - categories = [CheckCategories.BACKUP_AND_RECOVERY] + supported_resources = ("Microsoft.KeyVault/vaults/keys",) + categories = (CheckCategories.BACKUP_AND_RECOVERY,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self): - return 'properties/kty' + def get_inspected_key(self) -> str: + return "properties/kty" - def get_expected_value(self): - return 'RSA-HSM' + def get_expected_value(self) -> Any: + return "RSA-HSM" - def get_expected_values(self): - return [self.get_expected_value(), 'EC-HSM'] + def get_expected_values(self) -> list[Any]: + return [self.get_expected_value(), "EC-HSM"] check = KeyBackedByHSM() diff --git a/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py b/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py index 1fa0e9e78b7..39a981946f8 100644 --- a/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py +++ b/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py @@ -1,19 +1,21 @@ +from typing import Any + from checkov.common.models.enums import CheckCategories from checkov.arm.base_resource_value_check import BaseResourceValueCheck class KeyVaultEnablesFirewallRulesSettings(BaseResourceValueCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure that key vault allows firewall rules settings" id = "CKV_AZURE_109" - supported_resources = ['Microsoft.KeyVault/vaults'] - categories = [CheckCategories.NETWORKING] + supported_resources = ("Microsoft.KeyVault/vaults",) + categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self): + def get_inspected_key(self) -> str: return "properties/networkAcls/defaultAction" - def get_expected_value(self): + def get_expected_value(self) -> Any: return "Deny" diff --git a/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py b/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py index 08126a9c98a..7406b1b8dc6 100644 --- a/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py +++ b/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py @@ -3,15 +3,15 @@ class MySQLGeoBackupEnabled(BaseResourceValueCheck): - def __init__(self): + def __init__(self) -> None: name = "Ensure that My SQL server enables geo-redundant backups" id = "CKV_AZURE_94" - supported_resources = ['Microsoft.DBforMySQL/flexibleServers'] - categories = [CheckCategories.BACKUP_AND_RECOVERY] + supported_resources = ("Microsoft.DBforMySQL/flexibleServers",) + categories = (CheckCategories.BACKUP_AND_RECOVERY,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self): - return 'properties/Backup/geoRedundantBackup' + def get_inspected_key(self) -> str: + return "properties/Backup/geoRedundantBackup" check = MySQLGeoBackupEnabled() diff --git a/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py b/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py index c937bbf501b..587533524b2 100644 --- a/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py +++ b/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py @@ -22,8 +22,9 @@ def __init__(self, name: str, check_id: str, port: int) -> None: self.port = port def is_port_in_range(self, port_range: Union[int, str]) -> bool: - if re.match(PORT_RANGE, str(port_range)): - start, end = int(port_range.split("-")[0]), int(port_range.split("-")[1]) + port_range_str = str(port_range) + if re.match(PORT_RANGE, port_range_str): + start, end = int(port_range_str.split("-")[0]), int(port_range_str.split("-")[1]) if start <= self.port <= end: return True if port_range in (str(self.port), "*"): diff --git a/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py b/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py index 16d52cc51aa..a76411e8f28 100644 --- a/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py +++ b/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py @@ -2,8 +2,10 @@ class NSGRuleSSHAccessRestricted(NSGRulePortAccessRestricted): - def __init__(self): - super().__init__(name="Ensure that SSH access is restricted from the internet", check_id="CKV_AZURE_10", port=22) + def __init__(self) -> None: + super().__init__( + name="Ensure that SSH access is restricted from the internet", check_id="CKV_AZURE_10", port=22 + ) check = NSGRuleSSHAccessRestricted() diff --git a/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py b/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py index c637a47f98e..dfb854cc1d9 100644 --- a/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py +++ b/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py @@ -25,7 +25,6 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: conf["properties"]["value"].lower() == "on": return CheckResult.PASSED return CheckResult.FAILED - # If name not connection_throttling - don't report (neither pass nor fail) elif conf["type"] == "configurations": if "name" in conf and conf["name"] == "connection_throttling": if "parent_type" in conf: @@ -35,9 +34,11 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: conf["properties"]["value"].lower() == "on": return CheckResult.PASSED return CheckResult.FAILED - # If name not connection_throttling - don't report (neither pass nor fail) else: return CheckResult.FAILED + # If name not connection_throttling - don't report (neither pass nor fail) + return CheckResult.UNKNOWN + check = PostgreSQLServerConnectionThrottlingEnabled() diff --git a/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py b/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py index f7225d0e7dd..39aa02f60ef 100644 --- a/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py +++ b/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py @@ -26,7 +26,6 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: conf["properties"]["value"].lower() == "on": return CheckResult.PASSED return CheckResult.FAILED - # If name not connection_throttling - don't report (neither pass nor fail) elif conf["type"] == "configurations": if "name" in conf and conf["name"] == "log_checkpoints": if "parent_type" in conf: @@ -36,9 +35,11 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: conf["properties"]["value"].lower() == "on": return CheckResult.PASSED return CheckResult.FAILED - # If name not connection_throttling - don't report (neither pass nor fail) else: return CheckResult.FAILED + # If name not connection_throttling - don't report (neither pass nor fail) + return CheckResult.UNKNOWN + check = PostgreSQLServerLogCheckpointsEnabled() diff --git a/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py b/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py index f263c348893..4151b9ad66f 100644 --- a/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py +++ b/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py @@ -26,7 +26,6 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: conf["properties"]["value"].lower() == "on": return CheckResult.PASSED return CheckResult.FAILED - # If name not connection_throttling - don't report (neither pass nor fail) elif conf["type"] == "configurations": if "name" in conf and conf["name"] == "log_connections": if "parent_type" in conf: @@ -36,9 +35,11 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: conf["properties"]["value"].lower() == "on": return CheckResult.PASSED return CheckResult.FAILED - # If name not connection_throttling - don't report (neither pass nor fail) else: return CheckResult.FAILED + # If name not connection_throttling - don't report (neither pass nor fail) + return CheckResult.UNKNOWN + check = PostgreSQLServerLogConnectionsEnabled() diff --git a/checkov/arm/checks/resource/SecretContentType.py b/checkov/arm/checks/resource/SecretContentType.py index 01acf61c91c..1a655e5e6c8 100644 --- a/checkov/arm/checks/resource/SecretContentType.py +++ b/checkov/arm/checks/resource/SecretContentType.py @@ -7,11 +7,11 @@ class SecretContentType(BaseResourceValueCheck): - def __init__(self): - name = "Ensure that key vault secrets have \"content_type\" set" + def __init__(self) -> None: + name = 'Ensure that key vault secrets have "content_type" set' id = "CKV_AZURE_114" - supported_resources = ['Microsoft.KeyVault/vaults/secrets'] - categories = [CheckCategories.GENERAL_SECURITY] + supported_resources = ("Microsoft.KeyVault/vaults/secrets",) + categories = (CheckCategories.GENERAL_SECURITY,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def get_inspected_key(self) -> str: diff --git a/checkov/arm/checks/resource/SecurityCenterStandardPricing.py b/checkov/arm/checks/resource/SecurityCenterStandardPricing.py index 11502fa4097..080cbadaee9 100644 --- a/checkov/arm/checks/resource/SecurityCenterStandardPricing.py +++ b/checkov/arm/checks/resource/SecurityCenterStandardPricing.py @@ -7,7 +7,7 @@ class SecurityCenterStandardPricing(BaseResourceCheck): - def __init__(self): + def __init__(self) -> None: # https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts name = "Ensure that standard pricing tier is selected" id = "CKV_AZURE_19" diff --git a/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py b/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py index 0db3034aa93..4504c93c815 100644 --- a/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py +++ b/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py @@ -1,3 +1,7 @@ +from __future__ import annotations + +from typing import Any + from checkov.arm.base_resource_check import BaseResourceCheck from checkov.common.models.enums import CheckResult, CheckCategories # https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts @@ -5,16 +9,16 @@ class StorageAccountAzureServicesAccessEnabled(BaseResourceCheck): - def __init__(self): + def __init__(self) -> None: # properties.networkAcls.bypass == "AzureServices" # Fail if apiVersion less than 2017 as this setting wasn't available name = "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access" id = "CKV_AZURE_36" - supported_resources = ['Microsoft.Storage/storageAccounts'] - categories = [CheckCategories.NETWORKING] + supported_resources = ('Microsoft.Storage/storageAccounts',) + categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: if "apiVersion" in conf: # Fail if apiVersion < 2017 as you could not set networkAcls year = force_int(conf["apiVersion"][0:4]) diff --git a/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py b/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py index 81d222a179c..1141f40839f 100644 --- a/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py +++ b/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py @@ -1,3 +1,7 @@ +from __future__ import annotations + +from typing import Any + from checkov.arm.base_resource_check import BaseResourceCheck from checkov.common.models.enums import CheckResult, CheckCategories from checkov.common.util.type_forcers import force_int @@ -6,16 +10,16 @@ # https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts class StorageAccountDefaultNetworkAccessDeny(BaseResourceCheck): - def __init__(self): + def __init__(self) -> None: # properties.networkAcls.bypass == "AzureServices" # Fail if apiVersion less than 2017 as this setting wasn't available name = "Ensure default network access rule for Storage Accounts is set to deny" id = "CKV_AZURE_35" - supported_resources = ['Microsoft.Storage/storageAccounts'] - categories = [CheckCategories.NETWORKING] + supported_resources = ('Microsoft.Storage/storageAccounts',) + categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def scan_resource_conf(self, conf): + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: if "apiVersion" in conf: # Fail if apiVersion < 2017 as you could not set networkAcls year = force_int(conf["apiVersion"][0:4]) diff --git a/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py b/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py index a60ff9a15bc..aaf8e617403 100644 --- a/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py +++ b/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py @@ -1,5 +1,6 @@ from __future__ import annotations +from typing import Any from checkov.common.models.enums import CheckCategories from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck @@ -16,8 +17,8 @@ def __init__(self) -> None: def get_inspected_key(self) -> str: return 'properties/managedVirtualNetwork' - def get_forbidden_values(self) -> str: - return "default" + def get_forbidden_values(self) -> list[Any]: + return ["default"] check = SynapseWorkspaceEnablesManagedVirtualNetworks() diff --git a/checkov/arm/checks/resource/WinVMEncryptionAtHost.py b/checkov/arm/checks/resource/WinVMEncryptionAtHost.py index 504f646ebdc..b5a0059adae 100644 --- a/checkov/arm/checks/resource/WinVMEncryptionAtHost.py +++ b/checkov/arm/checks/resource/WinVMEncryptionAtHost.py @@ -3,7 +3,7 @@ class WinVMEncryptionAtHost(BaseResourceValueCheck): - def __init__(self): + def __init__(self) -> None: """ If enabled, all the disks (including the temp disk) attached to this Virtual Machine will be encrypted @@ -13,11 +13,11 @@ def __init__(self): """ name = "Ensure Windows VM enables encryption" id = "CKV_AZURE_151" - supported_resources = ['Microsoft.Compute/virtualMachines'] - categories = [CheckCategories.ENCRYPTION] + supported_resources = ("Microsoft.Compute/virtualMachines",) + categories = (CheckCategories.ENCRYPTION,) super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - def get_inspected_key(self): + def get_inspected_key(self) -> str: return "properties/securityProfile/encryptionAtHost" diff --git a/checkov/cdk/checks/python/APIGatewayCacheEnable.yaml b/checkov/cdk/checks/python/APIGatewayCacheEnable.yaml new file mode 100644 index 00000000000..6b022141a60 --- /dev/null +++ b/checkov/cdk/checks/python/APIGatewayCacheEnable.yaml @@ -0,0 +1,18 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_120 + name: Ensure API Gateway caching is enabled + category: BACKUP_AND_RECOVERY +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_apigateway.Stage() + conditions: + - not_pattern: aws_cdk.aws_apigateway.Stage(, cache_cluster_enabled=True, ) + - pattern: aws_cdk.aws_sam.CfnApi() + conditions: + - not_pattern: aws_cdk.aws_sam.CfnApi(, cacheClusterEnabled=True , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/BackupVaultEncrypted.yaml b/checkov/cdk/checks/python/BackupVaultEncrypted.yaml new file mode 100644 index 00000000000..6e28f9398e6 --- /dev/null +++ b/checkov/cdk/checks/python/BackupVaultEncrypted.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_166 + name: Ensure Backup Vault is encrypted at rest using KMS CMK + category: LOGGING +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_backup.CfnBackupVault() + conditions: + - not_pattern: aws_cdk.aws_backup.CfnBackupVault(, encryption_key_arn=$ARG, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/CloudWatchLogGroupKMSKey.yaml b/checkov/cdk/checks/python/CloudWatchLogGroupKMSKey.yaml new file mode 100644 index 00000000000..34652709da4 --- /dev/null +++ b/checkov/cdk/checks/python/CloudWatchLogGroupKMSKey.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_158 + name: Ensure that CloudWatch Log Group is encrypted by KMS + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_logs.LogGroup() + conditions: + - not_pattern: aws_cdk.aws_logs.LogGroup(, kms_key=$KEY, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/DAXEncryption.yaml b/checkov/cdk/checks/python/DAXEncryption.yaml new file mode 100644 index 00000000000..f9a264de061 --- /dev/null +++ b/checkov/cdk/checks/python/DAXEncryption.yaml @@ -0,0 +1,17 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_47 + name: Ensure DAX is encrypted at rest (default is unencrypted) + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_dax.CfnCluster() + conditions: + - not_pattern: aws_cdk.aws_dax.CfnCluster(, sse_specification=aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(, enabled=True , ), ) + - not_pattern: | + $P = aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(, enabled=True , ) + + aws_cdk.aws_dax.CfnCluster(sse_specification=$P) \ No newline at end of file diff --git a/checkov/cdk/checks/python/DocDBEncryption.yaml b/checkov/cdk/checks/python/DocDBEncryption.yaml new file mode 100644 index 00000000000..9d14f473681 --- /dev/null +++ b/checkov/cdk/checks/python/DocDBEncryption.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_74 + name: Ensure DocDB is encrypted at rest (default is unencrypted) + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_docdb.CfnDBCluster() + conditions: + - not_pattern: aws_cdk.aws_neptune.CfnDBCluster(, storage_encrypted=True , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/DynamodbGlobalTableRecovery.yaml b/checkov/cdk/checks/python/DynamodbGlobalTableRecovery.yaml new file mode 100644 index 00000000000..91ea64f46a6 --- /dev/null +++ b/checkov/cdk/checks/python/DynamodbGlobalTableRecovery.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_165 + name: Ensure Dynamodb global table point in time recovery (backup) is enabled + category: BACKUP_AND_RECOVERY +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_dynamodb.CfnGlobalTable() + conditions: + - not_pattern: aws_cdk.aws_dynamodb.CfnGlobalTable(, replicas=[, aws_cdk.aws_dynamodb.CfnGlobalTable.ReplicaSpecificationProperty(, point_in_time_recovery_specification=aws_cdk.aws_dynamodb.CfnGlobalTable.PointInTimeRecoverySpecificationProperty(point_in_time_recovery_enabled=True) , ) , ], ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/DynamodbRecovery.yaml b/checkov/cdk/checks/python/DynamodbRecovery.yaml new file mode 100644 index 00000000000..727ed2babe5 --- /dev/null +++ b/checkov/cdk/checks/python/DynamodbRecovery.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_28 + name: Ensure Dynamodb point in time recovery (backup) is enabled + category: BACKUP_AND_RECOVERY +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_dynamodb.Table() + conditions: + - not_pattern: aws_cdk.aws_dynamodb.Table(, point_in_time_recovery=True , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/EBSEncryption.yaml b/checkov/cdk/checks/python/EBSEncryption.yaml new file mode 100644 index 00000000000..ea254461636 --- /dev/null +++ b/checkov/cdk/checks/python/EBSEncryption.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_3 + name: Ensure all data stored in the EBS is securely encrypted + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_ec2.Volume() + conditions: + - not_pattern: aws_cdk.aws_ec2.Volume(, encrypted=True , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/ECRImageScanning.yaml b/checkov/cdk/checks/python/ECRImageScanning.yaml new file mode 100644 index 00000000000..a3546205766 --- /dev/null +++ b/checkov/cdk/checks/python/ECRImageScanning.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_163 + name: Ensure ECR image scanning on push is enabled + category: GENERAL_SECURITY +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_ecr.Repository() + conditions: + - not_pattern: aws_cdk.aws_ecr.Repository(, image_scan_on_push=True, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/ECRImmutableTags.yaml b/checkov/cdk/checks/python/ECRImmutableTags.yaml new file mode 100644 index 00000000000..3844b0a5f27 --- /dev/null +++ b/checkov/cdk/checks/python/ECRImmutableTags.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_51 + name: Ensure ECR Image Tags are immutable + category: GENERAL_SECURITY +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_ecr.Repository() + conditions: + - not_pattern: aws_cdk.aws_ecr.Repository(, image_tag_mutability=aws_cdk.aws_ecr.TagMutability.IMMUTABLE, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/ElasticacheReplicationGroupEncryptionAtTransit.yaml b/checkov/cdk/checks/python/ElasticacheReplicationGroupEncryptionAtTransit.yaml new file mode 100644 index 00000000000..34eb94d4b92 --- /dev/null +++ b/checkov/cdk/checks/python/ElasticacheReplicationGroupEncryptionAtTransit.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_30 + name: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_elasticache.CfnReplicationGroup() + conditions: + - not_pattern: aws_cdk.aws_elasticache.CfnReplicationGroup(, transit_encryption_enabled=True, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/GlueSecurityConfigurationEnabled.yaml b/checkov/cdk/checks/python/GlueSecurityConfigurationEnabled.yaml new file mode 100644 index 00000000000..e9f9f6861d5 --- /dev/null +++ b/checkov/cdk/checks/python/GlueSecurityConfigurationEnabled.yaml @@ -0,0 +1,21 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_195 + name: Ensure Glue component has a security configuration associated + category: ENCRYPTION +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_glue.CfnCrawler() + conditions: + - not_pattern: aws_cdk.aws_glue.CfnCrawler(, crawler_security_configuration=$CON , ) + - pattern: aws_cdk.aws_glue.CfnDevEndpoint() + conditions: + not_pattern: aws_cdk.aws_glue.CfnDevEndpoint(, security_configuration=$VAL , ) + - pattern: aws_cdk.aws_glue.CfnJob() + conditions: + not_pattern: aws_cdk.aws_glue.CfnJob(, security_configuration=$VAL , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/LambdaDLQConfigured.yaml b/checkov/cdk/checks/python/LambdaDLQConfigured.yaml new file mode 100644 index 00000000000..2b8674a3e36 --- /dev/null +++ b/checkov/cdk/checks/python/LambdaDLQConfigured.yaml @@ -0,0 +1,21 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_116 + name: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) + category: GENERAL_SECURITY +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_lambda.Function() + conditions: + - not_pattern: aws_cdk.aws_lambda.Function(, dead_letter_queue=$ARG, ) + - pattern: aws_cdk.aws_lambda.CfnFunction() + conditions: + - not_pattern: aws_cdk.aws_lambda.CfnFunction(, dead_letter_config=$ARG, ) + - pattern: aws_cdk.aws_sam.CfnFunction() + conditions: + - not_pattern: aws_cdk.aws_sam.CfnFunction(, dead_letter_queue=$ARG, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/LambdaFunctionLevelConcurrentExecutionLimit.yaml b/checkov/cdk/checks/python/LambdaFunctionLevelConcurrentExecutionLimit.yaml new file mode 100644 index 00000000000..c1876c0322b --- /dev/null +++ b/checkov/cdk/checks/python/LambdaFunctionLevelConcurrentExecutionLimit.yaml @@ -0,0 +1,18 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_115 + name: Ensure that AWS Lambda function is configured for function-level concurrent execution limit + category: GENERAL_SECURITY +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_lambda.Function() + conditions: + - not_pattern: aws_cdk.aws_lambda.Function(, reserved_concurrent_executions=$NUM, ) + - pattern: aws_cdk.aws_sam.CfnFunction() + conditions: + - not_pattern: aws_cdk.aws_sam.CfnFunction(, reserved_concurrent_executions=$NUM, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/LambdaInVPC.yaml b/checkov/cdk/checks/python/LambdaInVPC.yaml new file mode 100644 index 00000000000..fa1e71a6759 --- /dev/null +++ b/checkov/cdk/checks/python/LambdaInVPC.yaml @@ -0,0 +1,18 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_117 + name: Ensure that AWS Lambda function is configured inside a VPC + category: GENERAL_SECURITY +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_lambda.Function() + conditions: + - not_pattern: aws_cdk.aws_lambda.Function(, vpc=$VPC, ) + - pattern: aws_cdk.aws_sam.CfnFunction() + conditions: + - not_pattern: aws_cdk.aws_sam.CfnFunction(, vpc_config=$ARG, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/NeptuneClusterStorageEncrypted.yaml b/checkov/cdk/checks/python/NeptuneClusterStorageEncrypted.yaml new file mode 100644 index 00000000000..a2522c58e27 --- /dev/null +++ b/checkov/cdk/checks/python/NeptuneClusterStorageEncrypted.yaml @@ -0,0 +1,18 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_44 + name: Ensure Neptune storage is securely encrypted + category: ENCRYPTION +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_neptune.CfnDBCluster() + conditions: + - not_pattern: aws_cdk.aws_neptune.CfnDBCluster(, storage_encrypted=True , ) + - pattern: aws_cdk.aws_neptune.DatabaseCluster() + conditions: + - not_pattern: aws_cdk.aws_neptune.DatabaseCluster(, storage_encrypted=True , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/RedshiftClusterEncryption.yaml b/checkov/cdk/checks/python/RedshiftClusterEncryption.yaml new file mode 100644 index 00000000000..ae18b89bf3d --- /dev/null +++ b/checkov/cdk/checks/python/RedshiftClusterEncryption.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_64 + name: Ensure all data stored in the Redshift cluster is securely encrypted at rest + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_redshift.CfnCluster() + conditions: + - not_pattern: aws_cdk.aws_redshift.CfnCluster(, encrypted=True , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/S3BlockPublicACLs.yaml b/checkov/cdk/checks/python/S3BlockPublicACLs.yaml new file mode 100644 index 00000000000..6ec2696f6da --- /dev/null +++ b/checkov/cdk/checks/python/S3BlockPublicACLs.yaml @@ -0,0 +1,18 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_53 + name: Ensure S3 bucket has block public ACLS enabled + category: GENERAL_SECURITY +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_s3.Bucket() + conditions: + - not_pattern: aws_cdk.aws_s3.Bucket(, block_public_access=aws_cdk.aws_s3.BlockPublicAccess(, block_public_acls=True, ), ) + - pattern: aws_cdk.aws_s3.CfnBucket() + conditions: + - not_pattern: 'aws_cdk.aws_s3.CfnBucket(, public_access_block_configuration={, "blockPublicAcls": True, } , )' \ No newline at end of file diff --git a/checkov/cdk/checks/python/S3PublicACLWrite.yaml b/checkov/cdk/checks/python/S3PublicACLWrite.yaml new file mode 100644 index 00000000000..91e1605ccbf --- /dev/null +++ b/checkov/cdk/checks/python/S3PublicACLWrite.yaml @@ -0,0 +1,16 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_57 + name: Ensure the S3 bucket does not allow WRITE permissions to everyone + category: GENERAL_SECURITY +scope: + languages: + - python +definition: + or: + - pattern: aws_cdk.aws_s3.Bucket(, access_control=$ARG, ) + conditions: + - metavariable: $ARG + pattern: aws_cdk.aws_s3.BucketAccessControl.PUBLIC_READ_WRITE + - pattern: aws_cdk.aws_s3.Bucket(, public_read_access=True, ) diff --git a/checkov/cdk/checks/python/S3RestrictPublicBuckets.yaml b/checkov/cdk/checks/python/S3RestrictPublicBuckets.yaml new file mode 100644 index 00000000000..36cdcec6d37 --- /dev/null +++ b/checkov/cdk/checks/python/S3RestrictPublicBuckets.yaml @@ -0,0 +1,18 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_56 + name: Ensure S3 bucket has 'restrict_public_bucket' enabled + category: GENERAL_SECURITY +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_s3.Bucket() + conditions: + - not_pattern: aws_cdk.aws_s3.Bucket(, restrict_public_buckets=True, ) + - pattern: aws_cdk.aws_s3.CfnBucket() + conditions: + - not_pattern: 'aws_cdk.aws_s3.CfnBucket(, public_access_block_configuration={, "restrictPublicBuckets": True, } , )' \ No newline at end of file diff --git a/checkov/cdk/checks/python/SQSQueueEncryption.yaml b/checkov/cdk/checks/python/SQSQueueEncryption.yaml new file mode 100644 index 00000000000..228de401678 --- /dev/null +++ b/checkov/cdk/checks/python/SQSQueueEncryption.yaml @@ -0,0 +1,18 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_27 + name: Ensure all data stored in the SQS queue is encrypted + category: ENCRYPTION +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_sqs.Queue() + conditions: + - not_pattern: aws_cdk.aws_sqs.Queue(, encryption_master_key=$KEY, ) + - pattern: aws_cdk.aws_sqs.CfnQueue() + conditions: + - not_pattern: aws_cdk.aws_sqs.CfnQueue(, kms_master_key_id=$KEY, ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/WAFEnabled.yaml b/checkov/cdk/checks/python/WAFEnabled.yaml new file mode 100644 index 00000000000..9f92d758fa4 --- /dev/null +++ b/checkov/cdk/checks/python/WAFEnabled.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_68 + name: CloudFront Distribution should have WAF enabled + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_cloudfront.CfnDistribution() + conditions: + - not_pattern: 'aws_cdk.aws_cloudfront.CfnDistribution(, distribution_config={"webAclId": $ARG} , )' \ No newline at end of file diff --git a/checkov/cdk/checks/python/WorkspaceRootVolumeEncrypted.yaml b/checkov/cdk/checks/python/WorkspaceRootVolumeEncrypted.yaml new file mode 100644 index 00000000000..88b75ee9096 --- /dev/null +++ b/checkov/cdk/checks/python/WorkspaceRootVolumeEncrypted.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_156 + name: Ensure that Workspace root volumes are encrypted + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_workspaces.CfnWorkspace() + conditions: + - not_pattern: aws_cdk.aws_workspaces.CfnWorkspace(, root_volume_encryption_enabled=True , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/WorkspaceUserVolumeEncrypted.yaml b/checkov/cdk/checks/python/WorkspaceUserVolumeEncrypted.yaml new file mode 100644 index 00000000000..66a2060ba0b --- /dev/null +++ b/checkov/cdk/checks/python/WorkspaceUserVolumeEncrypted.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_155 + name: Ensure that Workspace user volumes are encrypted + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_workspaces.CfnWorkspace() + conditions: + - not_pattern: aws_cdk.aws_workspaces.CfnWorkspace(, user_volume_encryption_enabled=True , ) \ No newline at end of file diff --git a/checkov/common/bridgecrew/integration_features/features/vulnerabilities_integration.py b/checkov/common/bridgecrew/integration_features/features/vulnerabilities_integration.py index d2e6d84f401..785f49f1474 100644 --- a/checkov/common/bridgecrew/integration_features/features/vulnerabilities_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/vulnerabilities_integration.py @@ -2,14 +2,14 @@ import os from collections import defaultdict -from typing import TYPE_CHECKING, Optional, List, Dict, Any, Tuple +from typing import TYPE_CHECKING, Optional, List, Dict, Any, Tuple, Set from checkov.common.bridgecrew.check_type import CheckType from checkov.common.bridgecrew.integration_features.base_integration_feature import BaseIntegrationFeature from checkov.common.bridgecrew.platform_integration import bc_integration from checkov.common.output.record import SCA_PACKAGE_SCAN_CHECK_NAME, Record +from checkov.common.sast.consts import SastLanguages from checkov.common.util.type_forcers import convert_str_to_bool -from checkov.sast.consts import SastLanguages from checkov.sast.report import SastData, SastReport from checkov.common.sca.consts import get_package_by_str, ScaPackageFile, sca_package_to_sast_lang_map @@ -53,12 +53,13 @@ def merge_sca_and_sast_reports(self, merged_reports: list[Report]) -> None: not bool(convert_str_to_bool(os.getenv('CKV_ENABLE_SCA_INTEGRATE_SAST', False))): return - # Extract SAST imports report + # Extract SAST imports report and reachability report sast_reports = [scan_report for scan_report in merged_reports if isinstance(scan_report, SastReport)] if not len(sast_reports): return sast_imports_report = SastData.get_sast_import_report(sast_reports) + sast_reacability_report = SastData.get_sast_reachability_report(sast_reports) # Extract SCA packages report sca_packages_report = [scan_report for scan_report in merged_reports if @@ -80,18 +81,24 @@ def merge_sca_and_sast_reports(self, merged_reports: list[Report]) -> None: lang = self.get_sast_lang_by_file_path(sca_file_path) # Extract Sast data from Sast report filtered by the language - entries = sast_imports_report.get('imports', {}).get(lang, {}).items() - filtered_entries = [(code_file_path, sast_data) for code_file_path, sast_data in entries if - self.is_deeper_or_equal_level(sca_file_path, code_file_path)] + imports_entries = sast_imports_report.get('imports', {}).get(lang, {}).items() + filtered_imports_entries = [(code_file_path, sast_data) for code_file_path, sast_data in imports_entries if + self.is_deeper_or_equal_level(sca_file_path, code_file_path)] - if not len(filtered_entries): + reachability_entries = sast_reacability_report.get('reachability', {}).get(lang, {}).items() + filtered_reachability_entries = [(code_file_path, sast_data) for code_file_path, sast_data in + reachability_entries if self.is_deeper_or_equal_level(sca_file_path, + code_file_path)] + + if not len(filtered_imports_entries) and not len(filtered_reachability_entries): continue - # Create map with the relevant structure for the enrichment step - sast_files_by_packages_map = self.create_file_by_package_map(filtered_entries) + # Create maps with the relevant structure for the enrichment step + sast_files_by_package_map = self.create_file_by_package_map(filtered_imports_entries) + sast_reachable_cves_by_package_map = self.create_reachable_cves_by_package_map(filtered_reachability_entries) # Enrich the CVEs - self.enrich_cves_with_sast_data(current_cves, sast_files_by_packages_map) + self.enrich_cves_with_sast_data(current_cves, sast_files_by_package_map, sast_reachable_cves_by_package_map) ''' Each SCA report check has file_path, we want to getter same file_path so we won't have to calculate SAST language more then once @@ -132,19 +139,43 @@ def create_file_by_package_map(self, filtered_entries: List[Tuple[Any, Any]]) -> return sast_files_by_packages_map + def create_reachable_cves_by_package_map(self, filtered_reachability_entries: List[Tuple[Any, Any]]) -> Dict[str, Set[str]]: + reachable_cves_by_packages_map: Dict[str, Set[str]] = defaultdict(set) + for _, file_data in filtered_reachability_entries: + packages = file_data.packages + for package_name, package_data in packages.items(): + for function_item in package_data.functions: + reachable_cves_by_packages_map[package_name].add(function_item.cve_id) + return reachable_cves_by_packages_map + +####################################################################################################################### ''' enrich each CVE with the risk factor of IsUsed - which means there is a file the use the package of that CVE ''' - def enrich_cves_with_sast_data(self, current_cves: List[Record], sast_files_by_packages_map: Dict[str, List[str]]) -> None: + def _is_package_used_for_cve(self, cve_vulnerability_details: Dict[str, Any], sast_files_by_package_map: Dict[str, List[str]]) -> bool: + package_name = cve_vulnerability_details.get('package_name', '') + normalize_package_name = self.normalize_package_name(package_name) + return package_name in sast_files_by_package_map or normalize_package_name in sast_files_by_package_map + + def _is_reachable_function_for_cve(self, cve_vulnerability_details: Dict[str, Any], sast_reachable_cves_by_package_map: Dict[str, Set[str]]) -> bool: + package_name = cve_vulnerability_details.get('package_name', '') + return cve_vulnerability_details.get('id') in sast_reachable_cves_by_package_map.get(package_name, set()) + + def enrich_cves_with_sast_data( + self, + current_cves: List[Record], + sast_files_by_package_map: Dict[str, List[str]], + sast_reachable_cves_by_package_map: Dict[str, Set[str]] + ) -> None: for cve_check in current_cves: if cve_check.vulnerability_details: - package_name = cve_check.vulnerability_details.get('package_name', '') - normalize_package_name = self.normalize_package_name(package_name) - cve_check.vulnerability_details.get('risk_factors', {})['IsUsed'] = False + is_package_used = self._is_package_used_for_cve(cve_check.vulnerability_details, sast_files_by_package_map) + cve_check.vulnerability_details.get('risk_factors', {})['IsUsed'] = is_package_used - if package_name in sast_files_by_packages_map or normalize_package_name in sast_files_by_packages_map: - cve_check.vulnerability_details.get('risk_factors', {})['IsUsed'] = True + is_reachable_function = self._is_reachable_function_for_cve(cve_check.vulnerability_details, sast_reachable_cves_by_package_map) + cve_check.vulnerability_details.get('risk_factors', {})['ReachableFunction'] = is_reachable_function +####################################################################################################################### ''' we want to consider sast info only on files that are on the same level of the SCA file or deeper. diff --git a/checkov/common/images/image_referencer.py b/checkov/common/images/image_referencer.py index b7809b1a1c8..92d439f7cbf 100644 --- a/checkov/common/images/image_referencer.py +++ b/checkov/common/images/image_referencer.py @@ -5,7 +5,7 @@ from abc import abstractmethod from collections.abc import Iterable from pathlib import Path -from typing import cast, Any, TYPE_CHECKING, Generic, TypeVar +from typing import Any, TYPE_CHECKING, Generic, TypeVar import aiohttp import docker @@ -103,8 +103,8 @@ def inspect(image_name: str) -> str: image = client.images.get(image_name) except Exception: image = client.images.pull(image_name) - return cast(str, image.short_id) - return cast(str, image.short_id) + return image.short_id + return image.short_id except Exception: logging.debug(f"failed to pull docker image={image_name}", exc_info=True) return "" diff --git a/checkov/common/output/common.py b/checkov/common/output/common.py index 092b87fe1ca..515b556fce0 100644 --- a/checkov/common/output/common.py +++ b/checkov/common/output/common.py @@ -65,3 +65,11 @@ def get_package_name_with_lines(package_name: str, lines: list[int] | None) -> s if lines and validate_lines(lines): return f"{package_name} [{lines[0]}-{lines[1]}]" return package_name + + +def get_reachability_output_indication(cve_reachability_risk_factors: dict[str, bool]) -> str: + if cve_reachability_risk_factors.get("ReachableFunction"): + return "Reachable Function" + if cve_reachability_risk_factors.get("IsUsed"): + return "Package Used" + return "" diff --git a/checkov/common/output/cyclonedx.py b/checkov/common/output/cyclonedx.py index 0224dd09812..092af9363b0 100644 --- a/checkov/common/output/cyclonedx.py +++ b/checkov/common/output/cyclonedx.py @@ -100,12 +100,8 @@ def create_bom(self) -> Bom: continue component = self.create_component(check_type=report.check_type, resource=check) - if bom.has_component(component=component): - component = ( - bom.get_component_by_purl( # type:ignore[assignment] # the previous line checks, if exists - purl=component.purl - ) - ) + if existing_component := bom.get_component_by_purl(purl=component.purl): + component = existing_component else: bom.components.add(component) @@ -121,7 +117,7 @@ def create_bom(self) -> Bom: for resource in sorted(report.extra_resources): component = self.create_component(check_type=report.check_type, resource=resource) - if not bom.has_component(component=component): + if not bom.get_component_by_purl(purl=component.purl): bom.components.add(component) if is_image_report: diff --git a/checkov/common/output/report.py b/checkov/common/output/report.py index dfe38a86463..6f04cdd66cf 100644 --- a/checkov/common/output/report.py +++ b/checkov/common/output/report.py @@ -19,10 +19,10 @@ from checkov.common.output.ai import OpenAi from checkov.common.typing import _ExitCodeThresholds, _ScaExitCodeThresholds from checkov.common.output.record import Record, SCA_PACKAGE_SCAN_CHECK_NAME +from checkov.common.sast.consts import POLICIES_ERRORS, POLICIES_ERRORS_COUNT, ENGINE_NAME, SOURCE_FILES_COUNT, POLICY_COUNT from checkov.common.util.consts import PARSE_ERROR_FAIL_FLAG, CHECKOV_RUN_SCA_PACKAGE_SCAN_V2, S3_UPLOAD_DETAILS_MESSAGE from checkov.common.util.json_utils import CustomJSONEncoder from checkov.runner_filter import RunnerFilter -from checkov.sast.consts import POLICIES_ERRORS, POLICIES_ERRORS_COUNT, ENGINE_NAME, SOURCE_FILES_COUNT, POLICY_COUNT from checkov.sca_package_2.output import create_cli_output as create_sca_package_cli_output_v2 diff --git a/checkov/common/runners/runner_registry.py b/checkov/common/runners/runner_registry.py index 51d9b2e84e8..8e5755a1815 100644 --- a/checkov/common/runners/runner_registry.py +++ b/checkov/common/runners/runner_registry.py @@ -167,8 +167,12 @@ def _parallel_run(runner: _BaseRunner) -> tuple[Report | list[Report], str | Non for runner in invalid_runners: logging.log(level, f'The framework "{runner.check_type}" is part of the "{self.licensing_integration.get_subscription_for_runner(runner.check_type).name}" module, which is not enabled in the platform') - parallel_runner_results = parallel_runner.run_function(func=_parallel_run, items=valid_runners, - group_size=1) + parallel_runner_results = parallel_runner.run_function( + func=_parallel_run, + items=valid_runners, + group_size=1, + ) + reports = [] full_check_type_to_graph = {} full_check_type_to_resource_subgraph_map = {} diff --git a/checkov/common/sast/__init__.py b/checkov/common/sast/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/checkov/sast/consts.py b/checkov/common/sast/consts.py similarity index 100% rename from checkov/sast/consts.py rename to checkov/common/sast/consts.py diff --git a/checkov/common/sca/consts.py b/checkov/common/sca/consts.py index 2ee976e033a..2fd679c7649 100644 --- a/checkov/common/sca/consts.py +++ b/checkov/common/sca/consts.py @@ -1,7 +1,7 @@ from enum import Enum from typing import Optional, Dict -from checkov.sast.consts import SastLanguages +from checkov.common.sast.consts import SastLanguages class ScaPackageFile(Enum): diff --git a/checkov/kubernetes/checks/resource/base_root_container_check.py b/checkov/kubernetes/checks/resource/base_root_container_check.py index 4918c8822c2..50d2874cfcf 100644 --- a/checkov/kubernetes/checks/resource/base_root_container_check.py +++ b/checkov/kubernetes/checks/resource/base_root_container_check.py @@ -1,7 +1,10 @@ +from __future__ import annotations + from abc import abstractmethod from typing import Dict, Any, Optional from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.data_structures_utils import find_in_dict from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check from checkov.kubernetes.checks.resource.registry import registry @@ -33,21 +36,15 @@ def extract_spec(self, conf: Dict[str, Any]) -> Dict[str, Any]: if "spec" in conf: spec = conf["spec"] elif conf['kind'] == 'CronJob': - if "spec" in conf and \ - isinstance(conf["spec"], dict) and \ - "jobTemplate" in conf["spec"] and \ - "spec" in conf["spec"]["jobTemplate"] and \ - conf["spec"]["jobTemplate"]["spec"] and \ - "template" in conf["spec"]["jobTemplate"]["spec"] and \ - "spec" in conf["spec"]["jobTemplate"]["spec"]["template"]: - spec = conf["spec"]["jobTemplate"]["spec"]["template"]["spec"] + inner_spec = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template/spec") + spec = inner_spec if inner_spec else spec else: - inner_spec = self.get_inner_entry(conf, "spec") + inner_spec = find_in_dict(input_dict=conf, key_path="spec/template/spec") spec = inner_spec if inner_spec else spec return spec @staticmethod - def check_runAsNonRoot(spec): + def check_runAsNonRoot(spec: dict[str, Any]) -> str: if not isinstance(spec, dict): return "ABSENT" security_context = spec.get("securityContext") diff --git a/checkov/kubernetes/checks/resource/base_spec_check.py b/checkov/kubernetes/checks/resource/base_spec_check.py index 45d2b978538..808d33832e5 100644 --- a/checkov/kubernetes/checks/resource/base_spec_check.py +++ b/checkov/kubernetes/checks/resource/base_spec_check.py @@ -35,10 +35,3 @@ def scan_entity_conf(self, conf: Dict[str, Any], entity_type: str) -> CheckResul def scan_spec_conf(self, conf: Dict[str, Any]) -> CheckResult: """Return result of Kubernetes object check.""" raise NotImplementedError() - - @staticmethod - def get_inner_entry(conf: Dict[str, Any], entry_name: str) -> Dict[str, Any]: - spec = {} - if conf.get("spec") and isinstance(conf["spec"], dict) and conf.get("spec").get("template"): - spec = conf.get("spec").get("template").get(entry_name, {}) - return spec diff --git a/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py b/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py index e2400573f05..dbb9b588741 100644 --- a/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py +++ b/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py @@ -33,5 +33,7 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: else: return CheckResult.FAILED + return CheckResult.UNKNOWN + check = AllowPrivilegeEscalationPSP() diff --git a/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py b/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py index 879a8b30fae..73e6998535a 100644 --- a/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py +++ b/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py @@ -3,6 +3,7 @@ from typing import Any from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.data_structures_utils import find_in_dict from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check @@ -35,18 +36,10 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "spec" in conf: spec = conf["spec"] elif conf["kind"] == "CronJob": - spec = conf.get("spec") - if spec: - job_template = spec.get("jobTemplate") - if job_template: - job_template_spec = job_template.get("spec") - if job_template_spec: - template = job_template_spec.get("template") - if template: - if "spec" in template: - spec = template["spec"] + inner_spec = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template/spec") + spec = inner_spec if inner_spec else spec else: - inner_spec = self.get_inner_entry(conf, "spec") + inner_spec = find_in_dict(input_dict=conf, key_path="spec/template/spec") spec = inner_spec if inner_spec else spec # Evaluate volumes diff --git a/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py b/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py index e4b194d68e9..ddd5ba7a72d 100644 --- a/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py +++ b/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py @@ -23,5 +23,7 @@ def scan_container_conf(self, metadata: Dict[str, Any], conf: Dict[str, Any]) -> return CheckResult.FAILED return CheckResult.FAILED + return CheckResult.UNKNOWN + check = KubeletClientCa() diff --git a/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py b/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py index e64498c05e2..d604e05a22c 100644 --- a/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py +++ b/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py @@ -1,19 +1,22 @@ +from __future__ import annotations + +from typing import Any + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check class MinimizeCapabilitiesPSP(BaseK8Check): - - def __init__(self): + def __init__(self) -> None: # CIS-1.5 5.2.9 name = "Minimize the admission of containers with capabilities assigned" # Location: PodSecurityPolicy.spec.requiredDropCapabilities id = "CKV_K8S_36" - supported_kind = ['PodSecurityPolicy'] - categories = [CheckCategories.KUBERNETES] + supported_kind = ("PodSecurityPolicy",) + categories = (CheckCategories.KUBERNETES,) super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) - def scan_spec_conf(self, conf): + def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "spec" in conf: if "requiredDropCapabilities" in conf["spec"]: if conf["spec"]["requiredDropCapabilities"]: diff --git a/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py b/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py index df24123f7e3..eabae61c5ba 100644 --- a/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py +++ b/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py @@ -1,24 +1,28 @@ +from __future__ import annotations + +from typing import Any + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check class PeerClientCertAuthTrue(BaseK8Check): - - def __init__(self): + def __init__(self) -> None: name = "Ensure that the --peer-client-cert-auth argument is set to true" id = "CKV_K8S_121" - supported_kind = ['Pod'] - categories = [CheckCategories.KUBERNETES] + supported_kind = ("Pod",) + categories = (CheckCategories.KUBERNETES,) super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) - def scan_spec_conf(self, conf, entity_type=None): - if conf.get("metadata", {}).get('name') == 'etcd': - containers = conf.get('spec')['containers'] - for container in containers: - if container.get("args") is not None: - if '--peer-client-cert-auth=true' not in container['args']: - return CheckResult.FAILED - return CheckResult.PASSED + def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: + if conf.get("metadata", {}).get("name") == "etcd": + containers = conf.get("spec", {}).get("containers") + if containers: + for container in containers: + if container.get("args") is not None: + if "--peer-client-cert-auth=true" not in container["args"]: + return CheckResult.FAILED + return CheckResult.PASSED return CheckResult.UNKNOWN diff --git a/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py b/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py index d9524fb7696..5e8bfa1a7b9 100644 --- a/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py +++ b/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py @@ -3,6 +3,7 @@ from typing import Any from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.data_structures_utils import find_in_dict from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check @@ -35,18 +36,10 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "spec" in conf: spec = conf["spec"] elif conf["kind"] == "CronJob": - spec = conf.get("spec") - if spec: - job_template = spec.get("jobTemplate") - if job_template: - job_template_spec = job_template.get("spec") - if job_template_spec: - template = job_template_spec.get("template") - if template: - if "spec" in template: - spec = template["spec"] + inner_spec = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template/spec") + spec = inner_spec if inner_spec else spec else: - inner_spec = self.get_inner_entry(conf, "spec") + inner_spec = find_in_dict(input_dict=conf, key_path="spec/template/spec") spec = inner_spec if inner_spec else spec if spec and isinstance(spec, dict): diff --git a/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py b/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py index 036214161c6..b73895412d9 100644 --- a/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py +++ b/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py @@ -3,18 +3,17 @@ class PrivilegedContainersPSP(BaseSpecOmittedOrValueCheck): - - def __init__(self): + def __init__(self) -> None: # CIS-1.3 1.7.1 # CIS-1.5 5.2.1 name = "Do not admit privileged containers" id = "CKV_K8S_2" # Location: PodSecurityPolicy.spec.privileged - supported_kind = ['PodSecurityPolicy'] - categories = [CheckCategories.KUBERNETES] + supported_kind = ("PodSecurityPolicy",) + categories = (CheckCategories.KUBERNETES,) super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) - def get_inspected_key(self): + def get_inspected_key(self) -> str: return "spec/privileged" diff --git a/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py b/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py index dd38227d562..fba90cc5ebc 100644 --- a/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py +++ b/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py @@ -2,10 +2,10 @@ class RbacApproveCertificateSigningRequests(BaseRbacK8sCheck): - def __init__(self): + def __init__(self) -> None: name = "Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests" id = "CKV_K8S_156" - supported_entities = ["ClusterRole"] + supported_entities = ("ClusterRole",) super().__init__(name=name, id=id, supported_entities=supported_entities) # See https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/ diff --git a/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py b/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py index 90a055ca25c..7d137789c32 100644 --- a/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py +++ b/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py @@ -2,7 +2,7 @@ class RbacBindRoleBindings(BaseRbacK8sCheck): - def __init__(self): + def __init__(self) -> None: name = "Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings" id = "CKV_K8S_157" super().__init__(name=name, id=id) diff --git a/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py b/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py index a6a7b4b3fa3..b83f58e7ccf 100644 --- a/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py +++ b/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py @@ -2,7 +2,7 @@ class RbacControlWebhooks(BaseRbacK8sCheck): - def __init__(self): + def __init__(self) -> None: name = "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations" id = "CKV_K8S_155" supported_entities = ["ClusterRole"] diff --git a/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py b/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py index 4d941b8b1eb..26e59af4e20 100644 --- a/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py +++ b/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py @@ -2,7 +2,7 @@ class RbacEscalateRoles(BaseRbacK8sCheck): - def __init__(self): + def __init__(self) -> None: name = "Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles" id = "CKV_K8S_158" super().__init__(name=name, id=id) diff --git a/checkov/kubernetes/checks/resource/k8s/RootContainers.py b/checkov/kubernetes/checks/resource/k8s/RootContainers.py index 47a17d8d6a8..be3bb299a48 100644 --- a/checkov/kubernetes/checks/resource/k8s/RootContainers.py +++ b/checkov/kubernetes/checks/resource/k8s/RootContainers.py @@ -1,9 +1,13 @@ +from __future__ import annotations + +from typing import Any + from checkov.common.models.enums import CheckResult from checkov.kubernetes.checks.resource.base_root_container_check import BaseK8sRootContainerCheck class RootContainers(BaseK8sRootContainerCheck): - def __init__(self): + def __init__(self) -> None: # CIS-1.3 1.7.6 # CIS-1.5 5.2.6 name = "Minimize the admission of root containers" @@ -14,12 +18,12 @@ def __init__(self): id = "CKV_K8S_23" super().__init__(name=name, id=id) - def scan_spec_conf(self, conf): + def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: spec = self.extract_spec(conf) # Collect results if spec and isinstance(spec, dict): - results = {"pod": {}, "container": []} + results: dict[str, Any] = {"pod": {}, "container": []} results["pod"]["runAsNonRoot"] = self.check_runAsNonRoot(spec) results["pod"]["runAsUser"] = self.check_runAsUser(spec, 1) diff --git a/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py b/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py index 8817dca1b65..c8f5aaef340 100644 --- a/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py +++ b/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py @@ -21,7 +21,7 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: # Collect results if spec and isinstance(spec, dict): - results = {"pod": {}, "container": []} + results: dict[str, Any] = {"pod": {}, "container": []} results["pod"]["runAsUser"] = self.check_runAsUser(spec, 10000) containers = spec.get("containers", []) diff --git a/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py b/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py index 16393ea2026..5b57dcc84df 100644 --- a/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py +++ b/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py @@ -1,20 +1,23 @@ +from __future__ import annotations + +from typing import Any + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check class RootContainersPSP(BaseK8Check): - - def __init__(self): + def __init__(self) -> None: # CIS-1.3 1.7.6 # CIS-1.5 5.2.6 name = "Do not admit root containers" # Location: PodSecurityPolicy.spec.runAsUser.rule id = "CKV_K8S_6" - supported_kind = ['PodSecurityPolicy'] - categories = [CheckCategories.KUBERNETES] + supported_kind = ("PodSecurityPolicy",) + categories = (CheckCategories.KUBERNETES,) super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) - def scan_spec_conf(self, conf): + def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "spec" in conf: if "runAsUser" in conf["spec"]: if "rule" in conf["spec"]["runAsUser"]: diff --git a/checkov/kubernetes/checks/resource/k8s/Seccomp.py b/checkov/kubernetes/checks/resource/k8s/Seccomp.py index 7411422931f..cf6745e1ef7 100644 --- a/checkov/kubernetes/checks/resource/k8s/Seccomp.py +++ b/checkov/kubernetes/checks/resource/k8s/Seccomp.py @@ -52,24 +52,23 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if security_profile: return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED - metadata = self.get_inner_entry(conf, "metadata") + metadata = find_in_dict(input_dict=conf, key_path="spec/template/metadata") if not metadata and "metadata" in conf: metadata = conf["metadata"] elif conf['kind'] == 'CronJob': - if "spec" in conf: - if isinstance(conf["spec"], dict) and "jobTemplate" in conf["spec"]: - if "spec" in conf["spec"]["jobTemplate"]: - if conf["spec"]["jobTemplate"]["spec"] and "template" in conf["spec"]["jobTemplate"]["spec"]: - if "metadata" in conf["spec"]["jobTemplate"]["spec"]["template"]: - metadata = conf["spec"]["jobTemplate"]["spec"]["template"]["metadata"] - elif "spec" in conf["spec"]["jobTemplate"]["spec"]["template"]: - if "metadata" in conf["spec"]["jobTemplate"]["spec"]["template"]["spec"]: - metadata = conf["spec"]["jobTemplate"]["spec"]["template"]["spec"]["metadata"] - elif "securityContext" in conf["spec"]["jobTemplate"]["spec"]["template"]["spec"]: - security_profile = conf["spec"]["jobTemplate"]["spec"]["template"]["spec"]["securityContext"].get("seccompProfile", {}).get("type") - return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED + inner_template = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template") + if inner_template and isinstance(inner_template, dict): + if "metadata" in inner_template: + metadata = inner_template["metadata"] + elif "spec" in inner_template: + inner_spec = inner_template["spec"] + if "metadata" in inner_spec: + metadata = inner_spec["metadata"] + elif "securityContext" in inner_spec: + security_profile = inner_spec["securityContext"].get("seccompProfile", {}).get("type") + return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED else: - inner_metadata = self.get_inner_entry(conf, "metadata") + inner_metadata = find_in_dict(input_dict=conf, key_path="spec/template/metadata") metadata = inner_metadata if inner_metadata else metadata if metadata: diff --git a/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py b/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py index 2b561b24380..dded5541c85 100644 --- a/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py +++ b/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py @@ -1,19 +1,22 @@ +from __future__ import annotations + +from typing import Any + from checkov.common.models.enums import CheckCategories, CheckResult from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check class SeccompPSP(BaseK8Check): - - def __init__(self): + def __init__(self) -> None: # CIS-1.5 5.7.2 name = "Ensure default seccomp profile set to docker/default or runtime/default" id = "CKV_K8S_32" # Location: PodSecurityPolicy.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName - supported_kind = ['PodSecurityPolicy'] - categories = [CheckCategories.KUBERNETES] + supported_kind = ("PodSecurityPolicy",) + categories = (CheckCategories.KUBERNETES,) super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) - def scan_spec_conf(self, conf): + def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "metadata" in conf: if "annotations" in conf["metadata"] and conf["metadata"].get("annotations"): for annotation in conf["metadata"]["annotations"]: diff --git a/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py b/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py index f9db1f348e6..f486eca9ec9 100644 --- a/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py +++ b/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py @@ -3,6 +3,7 @@ from typing import Any from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.data_structures_utils import find_in_dict from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check @@ -35,18 +36,10 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "spec" in conf: spec = conf["spec"] elif conf["kind"] == "CronJob": - spec = conf.get("spec") - if spec: - job_template = spec.get("jobTemplate") - if job_template: - job_template_spec = job_template.get("spec") - if job_template_spec: - template = job_template_spec.get("template") - if template: - if "spec" in template: - spec = template["spec"] + inner_spec = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template/spec") + spec = inner_spec if inner_spec else spec else: - inner_spec = self.get_inner_entry(conf, "spec") + inner_spec = find_in_dict(input_dict=conf, key_path="spec/template/spec") spec = inner_spec if inner_spec else spec # Collect results diff --git a/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py b/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py index c787e49761f..fd7c5e2c2cf 100644 --- a/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py +++ b/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py @@ -3,6 +3,7 @@ from typing import Any from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.data_structures_utils import find_in_dict from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check @@ -35,18 +36,10 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "spec" in conf: spec = conf["spec"] elif conf["kind"] == "CronJob": - spec = conf.get("spec") - if spec: - job_template = spec.get("jobTemplate") - if job_template: - job_template_spec = job_template.get("spec") - if job_template_spec: - template = job_template_spec.get("template") - if template: - if "spec" in template: - spec = template["spec"] + inner_spec = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template/spec") + spec = inner_spec if inner_spec else spec else: - inner_spec = self.get_inner_entry(conf, "spec") + inner_spec = find_in_dict(input_dict=conf, key_path="spec/template/spec") spec = inner_spec if inner_spec else spec if spec: if "hostIPC" in spec: diff --git a/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py b/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py index c9da1f87447..3e69e9e644e 100644 --- a/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py +++ b/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py @@ -3,18 +3,17 @@ class ShareHostIPCPSP(BaseSpecOmittedOrValueCheck): - - def __init__(self): + def __init__(self) -> None: # CIS-1.3 1.7.3 # CIS-1.5 5.2.3 name = "Do not admit containers wishing to share the host IPC namespace" id = "CKV_K8S_3" # Location: PodSecurityPolicy.spec.hostIPC - supported_kind = ['PodSecurityPolicy'] - categories = [CheckCategories.KUBERNETES] + supported_kind = ("PodSecurityPolicy",) + categories = (CheckCategories.KUBERNETES,) super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) - def get_inspected_key(self): + def get_inspected_key(self) -> str: return "spec/hostIPC" diff --git a/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py b/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py index 3aca9c15fa2..08c098657de 100644 --- a/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py +++ b/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py @@ -3,6 +3,7 @@ from typing import Any from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.data_structures_utils import find_in_dict from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check @@ -35,18 +36,10 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "spec" in conf: spec = conf["spec"] elif conf["kind"] == "CronJob": - spec = conf.get("spec") - if spec: - job_template = spec.get("jobTemplate") - if job_template: - job_template_spec = job_template.get("spec") - if job_template_spec: - template = job_template_spec.get("template") - if template: - if "spec" in template: - spec = template["spec"] + inner_spec = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template/spec") + spec = inner_spec if inner_spec else spec else: - inner_spec = self.get_inner_entry(conf, "spec") + inner_spec = find_in_dict(input_dict=conf, key_path="spec/template/spec") spec = inner_spec if inner_spec else spec if spec: if "hostPID" in spec: diff --git a/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py b/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py index f2896d09f0b..f9ddc63fbff 100644 --- a/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py +++ b/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py @@ -3,18 +3,17 @@ class ShareHostPIDPSP(BaseSpecOmittedOrValueCheck): - - def __init__(self): + def __init__(self) -> None: # CIS-1.3 1.7.2 # CIS-1.5 5.2.2 name = "Do not admit containers wishing to share the host process ID namespace" id = "CKV_K8S_1" # Location: PodSecurityPolicy.spec.hostPID - supported_kind = ['PodSecurityPolicy'] - categories = [CheckCategories.KUBERNETES] + supported_kind = ("PodSecurityPolicy",) + categories = (CheckCategories.KUBERNETES,) super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) - def get_inspected_key(self): + def get_inspected_key(self) -> str: return "spec/hostPID" diff --git a/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py b/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py index 5fe536a0c09..f2613f924a2 100644 --- a/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py +++ b/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py @@ -3,6 +3,7 @@ from typing import Any from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.data_structures_utils import find_in_dict from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check @@ -35,18 +36,10 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: if "spec" in conf: spec = conf["spec"] elif conf["kind"] == "CronJob": - spec = conf.get("spec") - if spec: - job_template = spec.get("jobTemplate") - if job_template: - job_template_spec = job_template.get("spec") - if job_template_spec: - template = job_template_spec.get("template") - if template: - if "spec" in template: - spec = template["spec"] + inner_spec = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template/spec") + spec = inner_spec if inner_spec else spec else: - inner_spec = self.get_inner_entry(conf, "spec") + inner_spec = find_in_dict(input_dict=conf, key_path="spec/template/spec") spec = inner_spec if inner_spec else spec if spec: if "hostNetwork" in spec: diff --git a/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py b/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py index ad3c2310e4a..8223cb41cc8 100644 --- a/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py +++ b/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py @@ -3,18 +3,17 @@ class SharedHostNetworkNamespacePSP(BaseSpecOmittedOrValueCheck): - - def __init__(self): + def __init__(self) -> None: # CIS-1.3 1.7.4 # CIS-1.5 5.2.4 name = "Do not admit containers wishing to share the host network namespace" id = "CKV_K8S_4" # Location: PodSecurityPolicy.spec.hostNetwork - supported_kind = ['PodSecurityPolicy'] - categories = [CheckCategories.KUBERNETES] + supported_kind = ("PodSecurityPolicy",) + categories = (CheckCategories.KUBERNETES,) super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) - def get_inspected_key(self): + def get_inspected_key(self) -> str: return "spec/hostNetwork" diff --git a/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py b/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py index e5f2d6c7e3c..be003ea1987 100644 --- a/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py +++ b/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py @@ -16,7 +16,8 @@ def __init__(self) -> None: super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind) def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult: - if isinstance(conf.get("rules"), list) and len(conf.get("rules")) > 0: + rules = conf.get("rules") + if isinstance(rules, list) and len(rules) > 0: if "apiGroups" in conf["rules"][0]: if any("*" in s for s in conf["rules"][0]["apiGroups"]): return CheckResult.FAILED diff --git a/checkov/main.py b/checkov/main.py index 7629f726135..f3124c5e8ba 100755 --- a/checkov/main.py +++ b/checkov/main.py @@ -48,6 +48,7 @@ from checkov.common.output.baseline import Baseline from checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger from checkov.common.runners.runner_registry import RunnerRegistry +from checkov.common.sast.consts import SastLanguages from checkov.common.typing import LibraryGraph from checkov.common.util import prompt from checkov.common.util.banner import banner as checkov_banner, tool as checkov_tool @@ -70,7 +71,6 @@ from checkov.logging_init import log_stream as logs_stream from checkov.openapi.runner import Runner as openapi_runner from checkov.runner_filter import RunnerFilter -from checkov.sast.consts import SastLanguages from checkov.sast.prisma_models.report import serialize_reachability_report from checkov.sast.report import SastData, SastReport from checkov.sast.runner import Runner as sast_runner @@ -185,7 +185,7 @@ def normalize_config(self) -> None: if self.config.use_enforcement_rules and not self.config.bc_api_key: self.parser.error('Must specify an API key with --use-enforcement-rules') - if self.config.bc_api_key and not self.config.repo_id: + if self.config.bc_api_key and not self.config.repo_id and not self.config.list: self.parser.error('--repo-id is required when using a platform API key') if self.config.policy_metadata_filter and not (self.config.bc_api_key and self.config.prisma_api_url): diff --git a/checkov/runner_filter.py b/checkov/runner_filter.py index e3e28faaa44..5be3e12805f 100644 --- a/checkov/runner_filter.py +++ b/checkov/runner_filter.py @@ -8,19 +8,19 @@ import re from checkov.common.bridgecrew.check_type import CheckType -from checkov.sast.checks_infra.base_check import BaseSastCheck from checkov.common.secrets.consts import ValidationStatus from checkov.common.bridgecrew.code_categories import CodeCategoryMapping, CodeCategoryConfiguration, CodeCategoryType from checkov.common.bridgecrew.severities import Severity, Severities +from checkov.common.sast.consts import SastLanguages from checkov.common.util.consts import DEFAULT_EXTERNAL_MODULES_DIR from checkov.common.util.type_forcers import convert_csv_string_arg_to_list -from checkov.sast.consts import SastLanguages from checkov.common.util.str_utils import convert_to_seconds if TYPE_CHECKING: from checkov.common.checks.base_check import BaseCheck from checkov.common.graph.checks_infra.base_check import BaseGraphCheck + from checkov.sast.checks_infra.base_check import BaseSastCheck class RunnerFilter(object): diff --git a/checkov/sast/engines/base_engine.py b/checkov/sast/engines/base_engine.py index f74ef338c41..ceb1f1b0ed3 100644 --- a/checkov/sast/engines/base_engine.py +++ b/checkov/sast/engines/base_engine.py @@ -1,8 +1,8 @@ from abc import abstractmethod, ABC from typing import List, Set from checkov.common.output.report import Report +from checkov.common.sast.consts import SastLanguages from checkov.sast.checks_infra.base_registry import Registry -from checkov.sast.consts import SastLanguages class SastEngine(ABC): diff --git a/checkov/sast/engines/prisma_engine.py b/checkov/sast/engines/prisma_engine.py index 15ea4094e80..cd04d71b52a 100644 --- a/checkov/sast/engines/prisma_engine.py +++ b/checkov/sast/engines/prisma_engine.py @@ -18,12 +18,12 @@ from checkov.common.bridgecrew.severities import get_severity, Severity, Severities, BcSeverities from checkov.common.models.enums import CheckResult from checkov.common.output.report import Report +from checkov.common.sast.consts import SastLanguages from checkov.common.sca.reachability.sast_contract.data_fetcher_sast_lib import SastReachabilityDataFetcher from checkov.common.typing import _CheckResult from checkov.common.util.http_utils import request_wrapper from checkov.sast.checks_infra.base_registry import Registry from checkov.sast.common import get_code_block_from_start, get_data_flow_code_block -from checkov.sast.consts import SastLanguages from checkov.sast.engines.base_engine import SastEngine from checkov.sast.prisma_models.library_input import LibraryInput from checkov.sast.prisma_models.policies_list import SastPolicies diff --git a/checkov/sast/prisma_models/library_input.py b/checkov/sast/prisma_models/library_input.py index e28c9a1533b..e749d7d341c 100644 --- a/checkov/sast/prisma_models/library_input.py +++ b/checkov/sast/prisma_models/library_input.py @@ -1,7 +1,7 @@ from typing import Set, List from checkov.common.bridgecrew.severities import Severity -from checkov.sast.consts import SastLanguages +from checkov.common.sast.consts import SastLanguages import sys if sys.version_info < (3, 11): from typing_extensions import TypedDict, NotRequired diff --git a/checkov/sast/prisma_models/policies_list.py b/checkov/sast/prisma_models/policies_list.py index 70d32af3d89..77114cb09fd 100644 --- a/checkov/sast/prisma_models/policies_list.py +++ b/checkov/sast/prisma_models/policies_list.py @@ -1,7 +1,7 @@ from typing import Dict, Any, List, Union from pydantic import BaseModel, create_model -from checkov.sast.consts import SastLanguages +from checkov.common.sast.consts import SastLanguages class SastPolicyMetadataEntry(BaseModel): diff --git a/checkov/sast/prisma_models/report.py b/checkov/sast/prisma_models/report.py index 327f7bfa113..a71fddd8e62 100644 --- a/checkov/sast/prisma_models/report.py +++ b/checkov/sast/prisma_models/report.py @@ -1,6 +1,7 @@ from typing import Dict, List, Any, Optional, Union from pydantic import BaseModel -from checkov.sast.consts import SastLanguages + +from checkov.common.sast.consts import SastLanguages class Profiler(BaseModel): @@ -56,6 +57,7 @@ class Function(BaseModel): alias: str # noqa: CCE003 line_number: int # noqa: CCE003 code_block: str # noqa: CCE003 + cve_id: Optional[str] # noqa: CCE003 def to_dict(self) -> Dict[str, Any]: return self.__dict__ diff --git a/checkov/sast/report.py b/checkov/sast/report.py index bb591dec418..8a5b4ff3d57 100644 --- a/checkov/sast/report.py +++ b/checkov/sast/report.py @@ -1,7 +1,8 @@ +import logging from typing import Any, Dict, Union, List, Optional from checkov.common.output.report import Report -from checkov.sast.consts import POLICIES_ERRORS, POLICIES_ERRORS_COUNT, SOURCE_FILES_COUNT, POLICY_COUNT, SastLanguages +from checkov.common.sast.consts import POLICIES_ERRORS, POLICIES_ERRORS_COUNT, SOURCE_FILES_COUNT, POLICY_COUNT, SastLanguages class SastReport(Report): @@ -46,7 +47,7 @@ def get_formated_reachability_report(reachability_report_dict: Dict[SastLanguage for package_name, package_data in packages_data['packages'].items(): new_package = {'Name': package_name, 'Alias': package_data['alias'], 'Functions': []} for func in package_data['functions']: - new_func = {'Name': func['name'], 'Alias': func['alias'], 'LineNumber': func['line_number'], 'CodeBlock': [func['code_block']]} + new_func = {'Name': func['name'], 'Alias': func['alias'], 'LineNumber': func['line_number'], 'CodeBlock': [func['code_block']], 'CveId': func.get('cve_id', '')} new_package['Functions'].append(new_func) new_file['Packages'].append(new_package) new_repo['Files'].append(new_file) @@ -76,3 +77,25 @@ def get_sast_import_report(scan_reports: List[SastReport]) -> Dict[str, Any]: if current_imports: sast_imports_report[report.language][file_name] = {'all': current_imports} return {"imports": sast_imports_report} + + @staticmethod + def get_sast_reachability_report(scan_reports: List[SastReport]) -> Dict[str, Any]: + first_found_repo_name = None + sast_reachability_report: Dict[SastLanguages, Any] = {} + for report in scan_reports: + sast_reachability_report[report.language] = {} + for report in scan_reports: + for repo_name, repo_data in report.sast_reachability.items(): + + # validating we are dealing only with one repo, as it happens for imports report + if first_found_repo_name: + if repo_name != first_found_repo_name: + logging.error(f'[get_sast_reachability_report] - found more than one repository in ' + f'the scan reports. {scan_reports}') + return {"reachability": {}} + else: + first_found_repo_name = repo_name + + for file_name, file_data in repo_data.files.items(): + sast_reachability_report[report.language][file_name] = file_data + return {"reachability": sast_reachability_report} diff --git a/checkov/sast/runner.py b/checkov/sast/runner.py index 8283d40f16b..45b78138e37 100644 --- a/checkov/sast/runner.py +++ b/checkov/sast/runner.py @@ -7,9 +7,9 @@ from checkov.common.bridgecrew.check_type import CheckType from checkov.common.output.report import Report from checkov.common.runners.base_runner import BaseRunner +from checkov.common.sast.consts import SUPPORT_FILE_EXT, FILE_EXT_TO_SAST_LANG from checkov.runner_filter import RunnerFilter from checkov.sast.checks_infra.base_registry import Registry -from checkov.sast.consts import SUPPORT_FILE_EXT, FILE_EXT_TO_SAST_LANG from checkov.sast.engines.prisma_engine import PrismaEngine from typing import List, Optional diff --git a/checkov/sca_package_2/output.py b/checkov/sca_package_2/output.py index bb75e4e9eb6..395b7fb0aeb 100644 --- a/checkov/sca_package_2/output.py +++ b/checkov/sca_package_2/output.py @@ -11,13 +11,13 @@ from checkov.common.bridgecrew.severities import BcSeverities from checkov.common.models.enums import CheckResult from checkov.common.output.record import Record, SCA_PACKAGE_SCAN_CHECK_NAME, SCA_LICENSE_CHECK_NAME -from checkov.common.output.common import get_package_name_with_lines, validate_lines +from checkov.common.output.common import get_package_name_with_lines, validate_lines, get_reachability_output_indication from checkov.common.packaging import version as packaging_version from checkov.common.sca.commons import UNFIXABLE_VERSION, get_package_alias from checkov.common.typing import _LicenseStatusWithLines from checkov.common.output.common import compare_table_items_severity -REACHABILITY_RISK_FACTORS_KEYS = ["IsUsed"] +REACHABILITY_RISK_FACTORS_KEYS = ["IsUsed", "ReachableFunction"] @dataclass @@ -151,14 +151,11 @@ def create_cli_output(fixable: bool = True, *cve_records: list[Record]) -> str: lines_details_found_cves = True risk_factors = {} if not record.vulnerability_details or not record.vulnerability_details.get("risk_factors", {}) else record.vulnerability_details.get("risk_factors", {}) - if risk_factors.get("IsUsed"): - cve_count.used += 1 - reachability_risk_factors_tmp = {} - if record.vulnerability_details is not None: - reachability_risk_factors_tmp = {key: value for key, value in - risk_factors.items() - if key in REACHABILITY_RISK_FACTORS_KEYS} + reachability_risk_factors_tmp = {key: value for key, value in risk_factors.items() + if key in REACHABILITY_RISK_FACTORS_KEYS} + if any([value for value in reachability_risk_factors_tmp.values()]): + cve_count.used += 1 package_cves_details_map[root_package_alias].setdefault("cves", []).append( { @@ -392,7 +389,7 @@ def create_package_overview_table_part( package_alias = get_package_alias(package_name, package_version) is_root = package_alias == root_package_alias is_public_overview = "(Public)" if cve['is_private_fix'] is False else "" - reachability = "Package Used" if cve.get('reachability_risk_factors', {}).get("IsUsed", False) else "" + reachability = get_reachability_output_indication(cve.get('reachability_risk_factors', {})) compliant_version_overview = "" if cve_idx == 0: cur_compliant_version = compliant_version + is_public_overview if compliant_version and compliant_version != UNFIXABLE_VERSION else compliant_version diff --git a/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml new file mode 100644 index 00000000000..293a423d722 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml @@ -0,0 +1,17 @@ +metadata: + id: "CKV2_AZURE_40" + name: "Ensure storage account is not configured with Shared Key authorization" + category: "IAM" + +definition: + and: + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "shared_access_key_enabled" + operator: "exists" + + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "shared_access_key_enabled" + operator: "equals_ignore_case" + value: "false" \ No newline at end of file diff --git a/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml new file mode 100644 index 00000000000..a0c6c00dd3f --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml @@ -0,0 +1,38 @@ +metadata: + id: "CKV2_AZURE_41" + name: "Ensure storage account is configured with SAS expiration policy" + category: "IAM" + +definition: + or: + + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "shared_access_key_enabled" + operator: "equals_ignore_case" + value: "false" + + - and: + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "shared_access_key_enabled" + operator: "exists" + + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "shared_access_key_enabled" + operator: "equals_ignore_case" + value: "true" + + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "sas_policy" + operator: "exists" + + - cond_type: "attribute" + resource_types: "azurerm_storage_account" + attribute: "sas_policy.expiration_period" + operator: "length_greater_than" + value: "0" + + diff --git a/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml b/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml new file mode 100644 index 00000000000..60d13f14041 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml @@ -0,0 +1,52 @@ +metadata: + id: "CKV2_AZURE_39" + + name: "Ensure Azure VM is not configured with public IP and serial console access" + category: "NETWORKING" + +definition: + or: + - and: + - cond_type: filter + attribute: resource_type + value: + - azurerm_network_interface + operator: within + + - resource_types: + - azurerm_network_interface + connected_resource_types: + - azurerm_linux_virtual_machine + - azurerm_windows_virtual_machine + - azurerm_virtual_machine + operator: exists + cond_type: connection + + - cond_type: attribute + resource_types: + - azurerm_network_interface + attribute: ip_configuration.public_ip_address_id + operator: length_greater_than + value: 0 + + - cond_type: attribute + resource_types: + - azurerm_linux_virtual_machine + - azurerm_windows_virtual_machine + - azurerm_virtual_machine + attribute: boot_diagnostics + operator: not_exists + + - cond_type: attribute + resource_types: + - azurerm_network_interface + attribute: ip_configuration.public_ip_address_id + operator: not_exists + + - cond_type: attribute + resource_types: + - azurerm_network_interface + attribute: ip_configuration.public_ip_address_id + operator: length_less_than_or_equal + value: 0 + diff --git a/checkov/terraform/checks/resource/aws/MQBrokerVersion.py b/checkov/terraform/checks/resource/aws/MQBrokerVersion.py index 45930afd416..cc4e9d978df 100644 --- a/checkov/terraform/checks/resource/aws/MQBrokerVersion.py +++ b/checkov/terraform/checks/resource/aws/MQBrokerVersion.py @@ -4,8 +4,8 @@ ENGINE_VERSION_PATTERN = re.compile(r"(\d+\.\d+.\d+)") ENGINE_VERSION_SHORT_PATTERN = re.compile(r"(\d+\.\d+)") -MINIMUM_ACTIVEMQ_VERSION = 5.16 -MINIMUM_RABBITMQ_VERSION = 3.8 +MINIMUM_ACTIVEMQ_VERSION = 5.17 +MINIMUM_RABBITMQ_VERSION = 3.11 class MQBrokerVersion(BaseResourceCheck): diff --git a/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py b/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py new file mode 100644 index 00000000000..02102f94993 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py @@ -0,0 +1,24 @@ +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class AKSOnlyCriticalPodsOnSystemNodes(BaseResourceValueCheck): + def __init__(self) -> None: + """ + Microsoft recommends to isolate critical system pods from application pods + to prevent misconfigured or rogue application pods from accidentally killing system pods. + + This can be enforced by creating a dedicated system node pool with the CriticalAddonsOnly=true:NoSchedule taint + to prevent application pods from being scheduled on system node pools. + """ + name = "Ensure that only critical system pods run on system nodes" + id = "CKV_AZURE_232" + supported_resources = ("azurerm_kubernetes_cluster",) + categories = (CheckCategories.KUBERNETES,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "default_node_pool/[0]/only_critical_addons_enabled" + + +check = AKSOnlyCriticalPodsOnSystemNodes() diff --git a/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py b/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py new file mode 100644 index 00000000000..0ec7db4f73f --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py @@ -0,0 +1,17 @@ +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class AppServiceEnvironmentZoneRedundant(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure App Service Environment is zone redundant" + id = "CKV_AZURE_231" + supported_resources = ("azurerm_app_service_environment_v3",) + categories = (CheckCategories.BACKUP_AND_RECOVERY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "zone_redundant" + + +check = AppServiceEnvironmentZoneRedundant() diff --git a/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py b/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py index cf80b55ec85..f9ea1d6e8f7 100644 --- a/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py +++ b/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py @@ -6,12 +6,12 @@ class AppServiceSlotHTTPSOnly(BaseResourceValueCheck): def __init__(self): name = "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" id = "CKV_AZURE_153" - supported_resources = ['azurerm_app_service_slot'] + supported_resources = ["azurerm_app_service_slot", "azurerm_linux_web_app_slot", "azurerm_windows_web_app_slot"] categories = [CheckCategories.NETWORKING] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def get_inspected_key(self): - return 'https_only/[0]' + return "https_only/[0]" check = AppServiceSlotHTTPSOnly() diff --git a/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py b/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py new file mode 100644 index 00000000000..a2cb29fe574 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py @@ -0,0 +1,35 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class RedisCacheStandardReplicationEnabled(BaseResourceValueCheck): + def __init__(self) -> None: + """ + With Standard Replication, Azure Cache for Redis has a high availability architecture + that ensures your managed instance is functioning, even when outages affect + the underlying virtual machines (VMs). Whether the outage is planned or unplanned outages, + Azure Cache for Redis delivers greater percentage availability rates than what's attainable + by hosting Redis on a single VM. + + An Azure Cache for Redis in the applicable tiers runs on a pair of Redis servers by default. + The two servers are hosted on dedicated VMs. + Open-source Redis allows only one server to handle data write requests. + """ + name = "Standard Replication should be enabled" + id = "CKV_AZURE_230" + supported_resources = ("azurerm_redis_cache",) + categories = (CheckCategories.BACKUP_AND_RECOVERY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "sku_name" + + def get_expected_values(self) -> list[Any]: + return ["Standard", "Premium"] + + +check = RedisCacheStandardReplicationEnabled() diff --git a/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py b/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py new file mode 100644 index 00000000000..2d87c89bb36 --- /dev/null +++ b/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py @@ -0,0 +1,21 @@ +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class BigQueryTableDeletionProtection(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure BigQuery tables have deletion protection enabled" + id = "CKV_GCP_121" + supported_resources = ['google_bigquery_table'] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.FAILED) + + def get_inspected_key(self) -> str: + return 'deletion_protection' + + def get_expected_value(self) -> bool: + return True + + +check = BigQueryTableDeletionProtection() diff --git a/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py b/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py new file mode 100644 index 00000000000..37545c10152 --- /dev/null +++ b/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py @@ -0,0 +1,21 @@ +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class BigTableInstanceDeletionProtection(BaseResourceValueCheck): + def __init__(self): + name = "Ensure Big Table Instances have deletion protection enabled" + id = "CKV_GCP_122" + supported_resources = ['google_bigtable_instance'] + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.FAILED) + + def get_inspected_key(self): + return 'deletion_protection' + + def get_expected_value(self): + return True + + +check = BigTableInstanceDeletionProtection() diff --git a/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py b/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py new file mode 100644 index 00000000000..235b526d64b --- /dev/null +++ b/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py @@ -0,0 +1,21 @@ +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class SpannerDatabaseDeletionProtection(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure Spanner Database has deletion protection enabled" + id = "CKV_GCP_119" + supported_resources = ['google_spanner_database'] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED) + + def get_inspected_key(self) -> str: + return 'deletion_protection' + + def get_expected_value(self) -> bool: + return True + + +check = SpannerDatabaseDeletionProtection() diff --git a/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py b/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py new file mode 100644 index 00000000000..faa951d9c5e --- /dev/null +++ b/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py @@ -0,0 +1,21 @@ +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class SpannerDatabaseDropProtection(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure Spanner Database has drop protection enabled" + id = "CKV_GCP_120" + supported_resources = ["google_spanner_database"] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.FAILED) + + def get_inspected_key(self) -> str: + return "enable_drop_protection" + + def get_expected_value(self) -> bool: + return True + + +check = SpannerDatabaseDropProtection() diff --git a/checkov/version.py b/checkov/version.py index 696530eaa2b..7b9c075ef4f 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '3.0.14' +version = '3.0.26' diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index c57611ace83..893695e02db 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -1894,1750 +1894,1765 @@ nav_order: 1 | 1883 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | | 1884 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | | 1885 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1886 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | -| 1887 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | -| 1888 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | -| 1889 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | -| 1890 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace is not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | -| 1891 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1892 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1893 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1894 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1895 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1896 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1897 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1898 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1899 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | -| 1900 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | -| 1901 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | -| 1902 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | -| 1903 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | -| 1904 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | -| 1905 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | -| 1906 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1907 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1908 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | -| 1909 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | -| 1910 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | -| 1911 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | -| 1912 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | -| 1913 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | -| 1914 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | -| 1915 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | -| 1916 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1917 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1918 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1919 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1920 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1921 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1922 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1923 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1924 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | -| 1925 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | -| 1926 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1927 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1928 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | -| 1929 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | -| 1930 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | -| 1931 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | -| 1932 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | -| 1933 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | -| 1934 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | -| 1935 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | -| 1936 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | -| 1937 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | -| 1938 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | -| 1939 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | -| 1940 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | -| 1941 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | -| 1942 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | -| 1943 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | -| 1944 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | -| 1945 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | -| 1946 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | -| 1947 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | -| 1948 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | -| 1949 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | -| 1950 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | -| 1951 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | -| 1952 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | -| 1953 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | -| 1954 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | -| 1955 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | -| 1956 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | -| 1957 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | -| 1958 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1959 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1960 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1961 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1962 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1963 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | -| 1964 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 1965 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 1966 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | -| 1967 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | -| 1968 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | -| 1969 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | -| 1970 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | -| 1971 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1972 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1973 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1974 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1975 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | -| 1976 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | -| 1977 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | -| 1978 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | -| 1979 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | -| 1980 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | -| 1981 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | -| 1982 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | -| 1983 | CKV_AZURE_228 | resource | azurerm_eventhub_namespace | Ensure the Azure Event Hub Namespace is zone redundant | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py) | -| 1984 | CKV_AZURE_229 | resource | azurerm_mssql_database | Ensure the Azure SQL Database Namespace is zone redundant | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py) | -| 1985 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | -| 1986 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1987 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1988 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1989 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1990 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1991 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1992 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1993 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1994 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1995 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1996 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1997 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1998 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1999 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 2000 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 2001 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 2002 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | -| 2003 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 2004 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 2005 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 2006 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | -| 2007 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 2008 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 2009 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | -| 2010 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | -| 2011 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 2012 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 2013 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 2014 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 2015 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | -| 2016 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 2017 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 2018 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 2019 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 2020 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | -| 2021 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 2022 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 2023 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 2024 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 2025 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 2026 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 2027 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 2028 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 2029 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | -| 2030 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | -| 2031 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | -| 2032 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | -| 2033 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | -| 2034 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | arm | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | -| 2035 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | -| 2036 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | -| 2037 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | -| 2038 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | -| 2039 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | -| 2040 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | -| 2041 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | -| 2042 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | -| 2043 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | -| 2044 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | -| 2045 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | -| 2046 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | -| 2047 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | -| 2048 | CKV_AZUREPIPELINES_1 | azure_pipelines | jobs | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | -| 2049 | CKV_AZUREPIPELINES_1 | azure_pipelines | stages[].jobs[] | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | -| 2050 | CKV_AZUREPIPELINES_2 | azure_pipelines | jobs | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | -| 2051 | CKV_AZUREPIPELINES_2 | azure_pipelines | stages[].jobs[] | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | -| 2052 | CKV_AZUREPIPELINES_3 | azure_pipelines | jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | -| 2053 | CKV_AZUREPIPELINES_3 | azure_pipelines | stages[].jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | -| 2054 | CKV_AZUREPIPELINES_5 | azure_pipelines | *.container[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2055 | CKV_AZUREPIPELINES_5 | azure_pipelines | jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2056 | CKV_AZUREPIPELINES_5 | azure_pipelines | stages[].jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2057 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | -| 2058 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket/checks/merge_requests_approvals.py) | -| 2059 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | [{image:image,__startline__:__startline__,__endline__:__endline__}] | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2060 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2061 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2062 | CKV_CIRCLECIPIPELINES_1 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | circleci_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/latest_image.py) | -| 2063 | CKV_CIRCLECIPIPELINES_2 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image version is referenced via hash not arbitrary tag. | circleci_pipelines | [image_version_not_hash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/image_version_not_hash.py) | -| 2064 | CKV_CIRCLECIPIPELINES_3 | circleci_pipelines | orbs.{orbs: @} | Ensure mutable development orbs are not used. | circleci_pipelines | [prevent_development_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_development_orbs.py) | -| 2065 | CKV_CIRCLECIPIPELINES_4 | circleci_pipelines | orbs.{orbs: @} | Ensure unversioned volatile orbs are not used. | circleci_pipelines | [prevent_volatile_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_volatile_orbs.py) | -| 2066 | CKV_CIRCLECIPIPELINES_5 | circleci_pipelines | jobs.*.steps[] | Suspicious use of netcat with IP address | circleci_pipelines | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ReverseShellNetcat.py) | -| 2067 | CKV_CIRCLECIPIPELINES_6 | circleci_pipelines | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | circleci_pipelines | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ShellInjection.py) | -| 2068 | CKV_CIRCLECIPIPELINES_7 | circleci_pipelines | jobs.*.steps[] | Suspicious use of curl in run task | circleci_pipelines | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/SuspectCurlInScript.py) | -| 2069 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | -| 2070 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | -| 2071 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | -| 2072 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | -| 2073 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | -| 2074 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | -| 2075 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | [ExposePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ExposePort22.py) | -| 2076 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | [HealthcheckExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/HealthcheckExists.py) | -| 2077 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | [UserExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UserExists.py) | -| 2078 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | [AddExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AddExists.py) | -| 2079 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | [UpdateNotAlone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UpdateNotAlone.py) | -| 2080 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | [MaintainerExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/MaintainerExists.py) | -| 2081 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | [ReferenceLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ReferenceLatestTag.py) | -| 2082 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | [RootUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RootUser.py) | -| 2083 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile | [RunUsingAPT.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py) | -| 2084 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile | [WorkdirIsAbsolute.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/WorkdirIsAbsolute.py) | -| 2085 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile | [AliasIsUnique.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AliasIsUnique.py) | -| 2086 | CKV2_DOCKER_1 | resource | RUN | Ensure that sudo isn't used | dockerfile | [RunUsingSudo.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUsingSudo.yaml) | -| 2087 | CKV2_DOCKER_2 | resource | RUN | Ensure that certificate validation isn't disabled with curl | dockerfile | [RunUnsafeCurl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeCurl.yaml) | -| 2088 | CKV2_DOCKER_3 | resource | RUN | Ensure that certificate validation isn't disabled with wget | dockerfile | [RunUnsafeWget.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeWget.yaml) | -| 2089 | CKV2_DOCKER_4 | resource | RUN | Ensure that certificate validation isn't disabled with the pip '--trusted-host' option | dockerfile | [RunPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunPipTrustedHost.yaml) | -| 2090 | CKV2_DOCKER_5 | resource | ARG | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2091 | CKV2_DOCKER_5 | resource | ENV | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2092 | CKV2_DOCKER_5 | resource | RUN | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2093 | CKV2_DOCKER_6 | resource | ARG | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2094 | CKV2_DOCKER_6 | resource | ENV | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2095 | CKV2_DOCKER_6 | resource | RUN | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2096 | CKV2_DOCKER_7 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option | dockerfile | [RunApkAllowUntrusted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunApkAllowUntrusted.yaml) | -| 2097 | CKV2_DOCKER_8 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option | dockerfile | [RunAptGetAllowUnauthenticated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetAllowUnauthenticated.yaml) | -| 2098 | CKV2_DOCKER_9 | resource | RUN | Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option | dockerfile | [RunYumNoGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumNoGpgCheck.yaml) | -| 2099 | CKV2_DOCKER_10 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options | dockerfile | [RunRpmNoSignature.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunRpmNoSignature.yaml) | -| 2100 | CKV2_DOCKER_11 | resource | RUN | Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | dockerfile | [RunAptGetForceYes.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetForceYes.yaml) | -| 2101 | CKV2_DOCKER_12 | resource | ARG | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2102 | CKV2_DOCKER_12 | resource | ENV | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2103 | CKV2_DOCKER_12 | resource | RUN | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2104 | CKV2_DOCKER_13 | resource | RUN | Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false | dockerfile | [RunNpmConfigSetStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunNpmConfigSetStrictSsl.yaml) | -| 2105 | CKV2_DOCKER_14 | resource | ARG | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2106 | CKV2_DOCKER_14 | resource | ENV | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2107 | CKV2_DOCKER_14 | resource | RUN | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2108 | CKV2_DOCKER_15 | resource | RUN | Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option | dockerfile | [RunYumConfigManagerSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumConfigManagerSslVerify.yaml) | -| 2109 | CKV2_DOCKER_16 | resource | ARG | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2110 | CKV2_DOCKER_16 | resource | ENV | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2111 | CKV2_DOCKER_16 | resource | RUN | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2112 | CKV2_DOCKER_17 | resource | RUN | Ensure that 'chpasswd' is not used to set or remove passwords | dockerfile | [RunChpasswd.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml) | -| 2113 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | -| 2114 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | -| 2115 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | -| 2116 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | -| 2117 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | -| 2118 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | -| 2119 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | -| 2120 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | -| 2121 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | -| 2122 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | -| 2123 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | -| 2124 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | -| 2125 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | -| 2126 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | -| 2127 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | -| 2128 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | -| 2129 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | -| 2130 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py) | -| 2131 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | -| 2132 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | -| 2133 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | -| 2134 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | -| 2135 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | -| 2136 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | -| 2137 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | -| 2138 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | -| 2139 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 2140 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 2141 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | -| 2142 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2143 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2144 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2145 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2146 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2147 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2148 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2149 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2150 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2151 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | -| 2152 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2153 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2154 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2155 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2156 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2157 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2158 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2159 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2160 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2161 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | -| 2162 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | -| 2163 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2164 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2165 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2166 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2167 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2168 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2169 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 2170 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 2171 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | -| 2172 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | -| 2173 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 2174 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 2175 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 2176 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 2177 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 2178 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 2179 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 2180 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 2181 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 2182 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 2183 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 2184 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 2185 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | -| 2186 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | -| 2187 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | -| 2188 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | -| 2189 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | -| 2190 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | -| 2191 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | -| 2192 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | -| 2193 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | -| 2194 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | -| 2195 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | -| 2196 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | -| 2197 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | -| 2198 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | -| 2199 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | -| 2200 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | -| 2201 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | -| 2202 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 2203 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 2204 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 2205 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 2206 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | -| 2207 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | -| 2208 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 2209 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 2210 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | -| 2211 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | -| 2212 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | -| 2213 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | -| 2214 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | -| 2215 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | -| 2216 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | -| 2217 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | -| 2218 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | -| 2219 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | -| 2220 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | -| 2221 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | -| 2222 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | -| 2223 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | -| 2224 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | -| 2225 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | -| 2226 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | -| 2227 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | -| 2228 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | -| 2229 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | -| 2230 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | -| 2231 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | -| 2232 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | -| 2233 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | -| 2234 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | -| 2235 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 2236 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 2237 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 2238 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 2239 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 2240 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 2241 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 2242 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 2243 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 2244 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 2245 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | -| 2246 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | -| 2247 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | -| 2248 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | -| 2249 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2250 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2251 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2252 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2253 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | -| 2254 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | -| 2255 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | -| 2256 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | -| 2257 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2258 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2259 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2260 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | -| 2261 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | -| 2262 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 2263 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 2264 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 2265 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 2266 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 2267 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 2268 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | -| 2269 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | -| 2270 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | -| 2271 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | -| 2272 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2273 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2274 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2275 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2276 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 2277 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 2278 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2279 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2280 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2281 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 2282 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 2283 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2284 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2285 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2286 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2287 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2288 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2289 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | -| 2290 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | -| 2291 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | -| 2292 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | -| 2293 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | -| 2294 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | -| 2295 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | -| 2296 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | -| 2297 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | -| 2298 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | -| 2299 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | -| 2300 | CKV_GHA_1 | jobs | jobs | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | -| 2301 | CKV_GHA_1 | jobs | jobs.*.steps[] | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | -| 2302 | CKV_GHA_2 | jobs | jobs | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | -| 2303 | CKV_GHA_2 | jobs | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | -| 2304 | CKV_GHA_3 | jobs | jobs | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | -| 2305 | CKV_GHA_3 | jobs | jobs.*.steps[] | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | -| 2306 | CKV_GHA_4 | jobs | jobs | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | -| 2307 | CKV_GHA_4 | jobs | jobs.*.steps[] | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | -| 2308 | CKV_GHA_5 | jobs | jobs | Found artifact build without evidence of cosign sign execution in pipeline | github_actions | [CosignArtifacts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignArtifacts.py) | -| 2309 | CKV_GHA_6 | jobs | jobs | Found artifact build without evidence of cosign sbom attestation in pipeline | github_actions | [CosignSBOM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignSBOM.py) | -| 2310 | CKV_GHA_7 | jobs | on | The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. | github_actions | [EmptyWorkflowDispatch.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/EmptyWorkflowDispatch.py) | -| 2311 | CKV2_GHA_1 | resource | permissions | Ensure top-level permissions are not set to write-all | github_actions | [ReadOnlyTopLevelPermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/graph_checks/ReadOnlyTopLevelPermissions.yaml) | -| 2312 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | -| 2313 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | -| 2314 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | -| 2315 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2316 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2317 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2318 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 2319 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 2320 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 2321 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 2322 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | -| 2323 | CKV_GITHUB_1 | github_configuration | * | Ensure GitHub organization security settings require 2FA | github_configuration | [2fa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/2fa.py) | -| 2324 | CKV_GITHUB_2 | github_configuration | * | Ensure GitHub organization security settings require SSO | github_configuration | [sso.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/sso.py) | -| 2325 | CKV_GITHUB_3 | github_configuration | * | Ensure GitHub organization security settings has IP allow list enabled | github_configuration | [ipallowlist.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/ipallowlist.py) | -| 2326 | CKV_GITHUB_4 | github_configuration | * | Ensure GitHub branch protection rules requires signed commits | github_configuration | [require_signatures.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_signatures.py) | -| 2327 | CKV_GITHUB_5 | github_configuration | * | Ensure GitHub branch protection rules does not allow force pushes | github_configuration | [disallow_force_pushes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_force_pushes.py) | -| 2328 | CKV_GITHUB_6 | github_configuration | * | Ensure GitHub organization webhooks are using HTTPS | github_configuration | [webhooks_https_orgs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_orgs.py) | -| 2329 | CKV_GITHUB_7 | github_configuration | * | Ensure GitHub repository webhooks are using HTTPS | github_configuration | [webhooks_https_repos.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_repos.py) | -| 2330 | CKV_GITHUB_8 | github_configuration | * | Ensure GitHub branch protection rules requires linear history | github_configuration | [require_linear_history.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_linear_history.py) | -| 2331 | CKV_GITHUB_9 | github_configuration | * | Ensure 2 admins are set for each repository | github_configuration | [repository_collaborators.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/repository_collaborators.py) | -| 2332 | CKV_GITHUB_10 | github_configuration | * | Ensure branch protection rules are enforced on administrators | github_configuration | [enforce_branch_protection_admins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/enforce_branch_protection_admins.py) | -| 2333 | CKV_GITHUB_11 | github_configuration | * | Ensure GitHub branch protection dismisses stale review on new commit | github_configuration | [dismiss_stale_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/dismiss_stale_reviews.py) | -| 2334 | CKV_GITHUB_12 | github_configuration | * | Ensure GitHub branch protection restricts who can dismiss PR reviews | github_configuration | [restrict_pr_review_dismissal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/restrict_pr_review_dismissal.py) | -| 2335 | CKV_GITHUB_13 | github_configuration | * | Ensure GitHub branch protection requires CODEOWNER reviews | github_configuration | [require_code_owner_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_code_owner_reviews.py) | -| 2336 | CKV_GITHUB_14 | github_configuration | * | Ensure all checks have passed before the merge of new code | github_configuration | [require_status_checks_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_status_checks_pr.py) | -| 2337 | CKV_GITHUB_15 | github_configuration | * | Ensure inactive branches are reviewed and removed periodically | github_configuration | [disallow_inactive_branch_60days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_inactive_branch_60days.py) | -| 2338 | CKV_GITHUB_16 | github_configuration | * | Ensure GitHub branch protection requires conversation resolution | github_configuration | [require_conversation_resolution.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_conversation_resolution.py) | -| 2339 | CKV_GITHUB_17 | github_configuration | * | Ensure GitHub branch protection requires push restrictions | github_configuration | [require_push_restrictions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_push_restrictions.py) | -| 2340 | CKV_GITHUB_18 | github_configuration | * | Ensure GitHub branch protection rules does not allow deletions | github_configuration | [disallow_branch_deletions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_branch_deletions.py) | -| 2341 | CKV_GITHUB_19 | github_configuration | * | Ensure any change to code receives approval of two strongly authenticated users | github_configuration | [require_2approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_2approvals.py) | -| 2342 | CKV_GITHUB_20 | github_configuration | * | Ensure open git branches are up to date before they can be merged into codebase | github_configuration | [require_updated_branch_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_updated_branch_pr.py) | -| 2343 | CKV_GITHUB_21 | github_configuration | * | Ensure public repository creation is limited to specific members | github_configuration | [public_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/public_repository_creation_is_limited.py) | -| 2344 | CKV_GITHUB_22 | github_configuration | * | Ensure private repository creation is limited to specific members | github_configuration | [private_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/private_repository_creation_is_limited.py) | -| 2345 | CKV_GITHUB_23 | github_configuration | * | Ensure internal repository creation is limited to specific members | github_configuration | [internal_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/internal_repository_creation_is_limited.py) | -| 2346 | CKV_GITHUB_26 | github_configuration | * | Ensure minimum admins are set for the organization | github_configuration | [minimum_admins_in_org.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/minimum_admins_in_org.py) | -| 2347 | CKV_GITHUB_27 | github_configuration | * | Ensure strict base permissions are set for repositories | github_configuration | [require_strict_base_permissions_repository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_strict_base_permissions_repository.py) | -| 2348 | CKV_GITHUB_28 | github_configuration | * | Ensure an organization's identity is confirmed with a Verified badge Passed | github_configuration | [require_verified_organization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_verified_organization.py) | -| 2349 | CKV_GITLAB_1 | gitlab_configuration | * | Merge requests should require at least 2 approvals | gitlab_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/merge_requests_approvals.py) | -| 2350 | CKV_GITLAB_2 | gitlab_configuration | * | Ensure all Gitlab groups require two factor authentication | gitlab_configuration | [two_factor_authentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/two_factor_authentication.py) | -| 2351 | CKV_GITLABCI_1 | jobs | *.script[] | Suspicious use of curl with CI environment variables in script | gitlab_ci | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/SuspectCurlInScript.py) | -| 2352 | CKV_GITLABCI_2 | jobs | *.rules | Avoid creating rules that generate double pipelines | gitlab_ci | [AvoidDoublePipelines.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/AvoidDoublePipelines.py) | -| 2353 | CKV_GITLABCI_3 | jobs | *.image[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | -| 2354 | CKV_GITLABCI_3 | jobs | *.services[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | -| 2355 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | -| 2356 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | -| 2357 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | -| 2358 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | -| 2359 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py) | -| 2360 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | -| 2361 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | [PrivilegedContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py) | -| 2362 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | -| 2363 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py) | -| 2364 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | -| 2365 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py) | -| 2366 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | -| 2367 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py) | -| 2368 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | -| 2369 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | [RootContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py) | -| 2370 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | -| 2371 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilitiesPSP.py) | -| 2372 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | -| 2373 | CKV_K8S_8 | resource | DaemonSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2374 | CKV_K8S_8 | resource | Deployment | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2375 | CKV_K8S_8 | resource | DeploymentConfig | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2376 | CKV_K8S_8 | resource | Pod | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2377 | CKV_K8S_8 | resource | PodTemplate | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2378 | CKV_K8S_8 | resource | ReplicaSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2379 | CKV_K8S_8 | resource | ReplicationController | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2380 | CKV_K8S_8 | resource | StatefulSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2381 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2382 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2383 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2384 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2385 | CKV_K8S_9 | resource | DaemonSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2386 | CKV_K8S_9 | resource | Deployment | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2387 | CKV_K8S_9 | resource | DeploymentConfig | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2388 | CKV_K8S_9 | resource | Pod | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2389 | CKV_K8S_9 | resource | PodTemplate | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2390 | CKV_K8S_9 | resource | ReplicaSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2391 | CKV_K8S_9 | resource | ReplicationController | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2392 | CKV_K8S_9 | resource | StatefulSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2393 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2394 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2395 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2396 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2397 | CKV_K8S_10 | resource | CronJob | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2398 | CKV_K8S_10 | resource | DaemonSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2399 | CKV_K8S_10 | resource | Deployment | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2400 | CKV_K8S_10 | resource | DeploymentConfig | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2401 | CKV_K8S_10 | resource | Job | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2402 | CKV_K8S_10 | resource | Pod | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2403 | CKV_K8S_10 | resource | PodTemplate | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2404 | CKV_K8S_10 | resource | ReplicaSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2405 | CKV_K8S_10 | resource | ReplicationController | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2406 | CKV_K8S_10 | resource | StatefulSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2407 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2408 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2409 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2410 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2411 | CKV_K8S_11 | resource | CronJob | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2412 | CKV_K8S_11 | resource | DaemonSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2413 | CKV_K8S_11 | resource | Deployment | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2414 | CKV_K8S_11 | resource | DeploymentConfig | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2415 | CKV_K8S_11 | resource | Job | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2416 | CKV_K8S_11 | resource | Pod | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2417 | CKV_K8S_11 | resource | PodTemplate | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2418 | CKV_K8S_11 | resource | ReplicaSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2419 | CKV_K8S_11 | resource | ReplicationController | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2420 | CKV_K8S_11 | resource | StatefulSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2421 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2422 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2423 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2424 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2425 | CKV_K8S_12 | resource | CronJob | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2426 | CKV_K8S_12 | resource | DaemonSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2427 | CKV_K8S_12 | resource | Deployment | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2428 | CKV_K8S_12 | resource | DeploymentConfig | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2429 | CKV_K8S_12 | resource | Job | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2430 | CKV_K8S_12 | resource | Pod | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2431 | CKV_K8S_12 | resource | PodTemplate | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2432 | CKV_K8S_12 | resource | ReplicaSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2433 | CKV_K8S_12 | resource | ReplicationController | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2434 | CKV_K8S_12 | resource | StatefulSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2435 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2436 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2437 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2438 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2439 | CKV_K8S_13 | resource | CronJob | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2440 | CKV_K8S_13 | resource | DaemonSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2441 | CKV_K8S_13 | resource | Deployment | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2442 | CKV_K8S_13 | resource | DeploymentConfig | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2443 | CKV_K8S_13 | resource | Job | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2444 | CKV_K8S_13 | resource | Pod | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2445 | CKV_K8S_13 | resource | PodTemplate | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2446 | CKV_K8S_13 | resource | ReplicaSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2447 | CKV_K8S_13 | resource | ReplicationController | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2448 | CKV_K8S_13 | resource | StatefulSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2449 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2450 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2451 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2452 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2453 | CKV_K8S_14 | resource | CronJob | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2454 | CKV_K8S_14 | resource | DaemonSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2455 | CKV_K8S_14 | resource | Deployment | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2456 | CKV_K8S_14 | resource | DeploymentConfig | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2457 | CKV_K8S_14 | resource | Job | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2458 | CKV_K8S_14 | resource | Pod | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2459 | CKV_K8S_14 | resource | PodTemplate | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2460 | CKV_K8S_14 | resource | ReplicaSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2461 | CKV_K8S_14 | resource | ReplicationController | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2462 | CKV_K8S_14 | resource | StatefulSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2463 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2464 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2465 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2466 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2467 | CKV_K8S_15 | resource | CronJob | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2468 | CKV_K8S_15 | resource | DaemonSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2469 | CKV_K8S_15 | resource | Deployment | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2470 | CKV_K8S_15 | resource | DeploymentConfig | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2471 | CKV_K8S_15 | resource | Job | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2472 | CKV_K8S_15 | resource | Pod | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2473 | CKV_K8S_15 | resource | PodTemplate | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2474 | CKV_K8S_15 | resource | ReplicaSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2475 | CKV_K8S_15 | resource | ReplicationController | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2476 | CKV_K8S_15 | resource | StatefulSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2477 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2478 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2479 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2480 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2481 | CKV_K8S_16 | resource | CronJob | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2482 | CKV_K8S_16 | resource | DaemonSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2483 | CKV_K8S_16 | resource | Deployment | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2484 | CKV_K8S_16 | resource | DeploymentConfig | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2485 | CKV_K8S_16 | resource | Job | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2486 | CKV_K8S_16 | resource | Pod | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2487 | CKV_K8S_16 | resource | PodTemplate | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2488 | CKV_K8S_16 | resource | ReplicaSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2489 | CKV_K8S_16 | resource | ReplicationController | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2490 | CKV_K8S_16 | resource | StatefulSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2491 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2492 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2493 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2494 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2495 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2496 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2497 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2498 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2499 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2500 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2501 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2502 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2503 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2504 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2505 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2506 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2507 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2508 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2509 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2510 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2511 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2512 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2513 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2514 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2515 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2516 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2517 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2518 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2519 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2520 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2521 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2522 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2523 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2524 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2525 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2526 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2527 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2528 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2529 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2530 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2531 | CKV_K8S_20 | resource | CronJob | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2532 | CKV_K8S_20 | resource | DaemonSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2533 | CKV_K8S_20 | resource | Deployment | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2534 | CKV_K8S_20 | resource | DeploymentConfig | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2535 | CKV_K8S_20 | resource | Job | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2536 | CKV_K8S_20 | resource | Pod | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2537 | CKV_K8S_20 | resource | PodTemplate | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2538 | CKV_K8S_20 | resource | ReplicaSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2539 | CKV_K8S_20 | resource | ReplicationController | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2540 | CKV_K8S_20 | resource | StatefulSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2541 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2542 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2543 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2544 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2545 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2546 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2547 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2548 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2549 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2550 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2551 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2552 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2553 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2554 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2555 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2556 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2557 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2558 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2559 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2560 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2561 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2562 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2563 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2564 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2565 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2566 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2567 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2568 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2569 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2570 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2571 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2572 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2573 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2574 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2575 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2576 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2577 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2578 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2579 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2580 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2581 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2582 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2583 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2584 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2585 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2586 | CKV_K8S_22 | resource | CronJob | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2587 | CKV_K8S_22 | resource | DaemonSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2588 | CKV_K8S_22 | resource | Deployment | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2589 | CKV_K8S_22 | resource | DeploymentConfig | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2590 | CKV_K8S_22 | resource | Job | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2591 | CKV_K8S_22 | resource | Pod | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2592 | CKV_K8S_22 | resource | PodTemplate | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2593 | CKV_K8S_22 | resource | ReplicaSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2594 | CKV_K8S_22 | resource | ReplicationController | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2595 | CKV_K8S_22 | resource | StatefulSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2596 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2597 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2598 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2599 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2600 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2601 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2602 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2603 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2604 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2605 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2606 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2607 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2608 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesPSP.py) | -| 2609 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | -| 2610 | CKV_K8S_25 | resource | CronJob | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2611 | CKV_K8S_25 | resource | DaemonSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2612 | CKV_K8S_25 | resource | Deployment | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2613 | CKV_K8S_25 | resource | DeploymentConfig | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2614 | CKV_K8S_25 | resource | Job | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2615 | CKV_K8S_25 | resource | Pod | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2616 | CKV_K8S_25 | resource | PodTemplate | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2617 | CKV_K8S_25 | resource | ReplicaSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2618 | CKV_K8S_25 | resource | ReplicationController | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2619 | CKV_K8S_25 | resource | StatefulSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2620 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2621 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2622 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2623 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2624 | CKV_K8S_26 | resource | CronJob | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2625 | CKV_K8S_26 | resource | DaemonSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2626 | CKV_K8S_26 | resource | Deployment | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2627 | CKV_K8S_26 | resource | DeploymentConfig | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2628 | CKV_K8S_26 | resource | Job | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2629 | CKV_K8S_26 | resource | Pod | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2630 | CKV_K8S_26 | resource | PodTemplate | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2631 | CKV_K8S_26 | resource | ReplicaSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2632 | CKV_K8S_26 | resource | ReplicationController | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2633 | CKV_K8S_26 | resource | StatefulSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2634 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2635 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2636 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2637 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2638 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2639 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2640 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2641 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2642 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2643 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2644 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2645 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2646 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2647 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2648 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2649 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2650 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2651 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2652 | CKV_K8S_28 | resource | CronJob | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2653 | CKV_K8S_28 | resource | DaemonSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2654 | CKV_K8S_28 | resource | Deployment | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2655 | CKV_K8S_28 | resource | DeploymentConfig | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2656 | CKV_K8S_28 | resource | Job | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2657 | CKV_K8S_28 | resource | Pod | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2658 | CKV_K8S_28 | resource | PodTemplate | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2659 | CKV_K8S_28 | resource | ReplicaSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2660 | CKV_K8S_28 | resource | ReplicationController | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2661 | CKV_K8S_28 | resource | StatefulSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2662 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2663 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2664 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2665 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2666 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2667 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2668 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2669 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2670 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2671 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2672 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2673 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2674 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2675 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2676 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2677 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2678 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2679 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2680 | CKV_K8S_30 | resource | CronJob | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2681 | CKV_K8S_30 | resource | DaemonSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2682 | CKV_K8S_30 | resource | Deployment | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2683 | CKV_K8S_30 | resource | DeploymentConfig | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2684 | CKV_K8S_30 | resource | Job | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2685 | CKV_K8S_30 | resource | Pod | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2686 | CKV_K8S_30 | resource | PodTemplate | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2687 | CKV_K8S_30 | resource | ReplicaSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2688 | CKV_K8S_30 | resource | ReplicationController | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2689 | CKV_K8S_30 | resource | StatefulSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2690 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2691 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2692 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2693 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2694 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2695 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2696 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2697 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2698 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2699 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2700 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2701 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2702 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py) | -| 2703 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | -| 2704 | CKV_K8S_33 | resource | CronJob | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2705 | CKV_K8S_33 | resource | DaemonSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2706 | CKV_K8S_33 | resource | Deployment | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2707 | CKV_K8S_33 | resource | DeploymentConfig | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2708 | CKV_K8S_33 | resource | Job | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2709 | CKV_K8S_33 | resource | Pod | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2710 | CKV_K8S_33 | resource | PodTemplate | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2711 | CKV_K8S_33 | resource | ReplicaSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2712 | CKV_K8S_33 | resource | ReplicationController | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2713 | CKV_K8S_33 | resource | StatefulSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2714 | CKV_K8S_34 | resource | CronJob | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2715 | CKV_K8S_34 | resource | DaemonSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2716 | CKV_K8S_34 | resource | Deployment | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2717 | CKV_K8S_34 | resource | DeploymentConfig | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2718 | CKV_K8S_34 | resource | Job | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2719 | CKV_K8S_34 | resource | Pod | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2720 | CKV_K8S_34 | resource | PodTemplate | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2721 | CKV_K8S_34 | resource | ReplicaSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2722 | CKV_K8S_34 | resource | ReplicationController | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2723 | CKV_K8S_34 | resource | StatefulSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2724 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2725 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2726 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2727 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2728 | CKV_K8S_35 | resource | CronJob | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2729 | CKV_K8S_35 | resource | DaemonSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2730 | CKV_K8S_35 | resource | Deployment | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2731 | CKV_K8S_35 | resource | DeploymentConfig | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2732 | CKV_K8S_35 | resource | Job | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2733 | CKV_K8S_35 | resource | Pod | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2734 | CKV_K8S_35 | resource | PodTemplate | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2735 | CKV_K8S_35 | resource | ReplicaSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2736 | CKV_K8S_35 | resource | ReplicationController | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2737 | CKV_K8S_35 | resource | StatefulSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2738 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2739 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2740 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2741 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2742 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py) | -| 2743 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | -| 2744 | CKV_K8S_37 | resource | CronJob | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2745 | CKV_K8S_37 | resource | DaemonSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2746 | CKV_K8S_37 | resource | Deployment | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2747 | CKV_K8S_37 | resource | DeploymentConfig | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2748 | CKV_K8S_37 | resource | Job | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2749 | CKV_K8S_37 | resource | Pod | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2750 | CKV_K8S_37 | resource | PodTemplate | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2751 | CKV_K8S_37 | resource | ReplicaSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2752 | CKV_K8S_37 | resource | ReplicationController | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2753 | CKV_K8S_37 | resource | StatefulSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2754 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2755 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2756 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2757 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2758 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2759 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2760 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2761 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2762 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2763 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2764 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2765 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2766 | CKV_K8S_39 | resource | CronJob | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2767 | CKV_K8S_39 | resource | DaemonSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2768 | CKV_K8S_39 | resource | Deployment | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2769 | CKV_K8S_39 | resource | DeploymentConfig | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2770 | CKV_K8S_39 | resource | Job | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2771 | CKV_K8S_39 | resource | Pod | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2772 | CKV_K8S_39 | resource | PodTemplate | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2773 | CKV_K8S_39 | resource | ReplicaSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2774 | CKV_K8S_39 | resource | ReplicationController | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2775 | CKV_K8S_39 | resource | StatefulSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2776 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2777 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2778 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2779 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2780 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2781 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2782 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2783 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2784 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2785 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2786 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2787 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2788 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccount.py) | -| 2789 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 2790 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 2791 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | -| 2792 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | -| 2793 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2794 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2795 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2796 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2797 | CKV_K8S_43 | resource | CronJob | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2798 | CKV_K8S_43 | resource | DaemonSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2799 | CKV_K8S_43 | resource | Deployment | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2800 | CKV_K8S_43 | resource | DeploymentConfig | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2801 | CKV_K8S_43 | resource | Job | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2802 | CKV_K8S_43 | resource | Pod | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2803 | CKV_K8S_43 | resource | PodTemplate | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2804 | CKV_K8S_43 | resource | ReplicaSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2805 | CKV_K8S_43 | resource | ReplicationController | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2806 | CKV_K8S_43 | resource | StatefulSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2807 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2808 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2809 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2810 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2811 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerService.py) | -| 2812 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 2813 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 2814 | CKV_K8S_45 | resource | CronJob | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2815 | CKV_K8S_45 | resource | DaemonSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2816 | CKV_K8S_45 | resource | Deployment | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2817 | CKV_K8S_45 | resource | DeploymentConfig | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2818 | CKV_K8S_45 | resource | Job | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2819 | CKV_K8S_45 | resource | Pod | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2820 | CKV_K8S_45 | resource | PodTemplate | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2821 | CKV_K8S_45 | resource | ReplicaSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2822 | CKV_K8S_45 | resource | ReplicationController | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2823 | CKV_K8S_45 | resource | StatefulSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2824 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | -| 2825 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | -| 2826 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2827 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2828 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2829 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2830 | CKV_K8S_68 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2831 | CKV_K8S_68 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2832 | CKV_K8S_68 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2833 | CKV_K8S_68 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2834 | CKV_K8S_68 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2835 | CKV_K8S_68 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2836 | CKV_K8S_68 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2837 | CKV_K8S_68 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2838 | CKV_K8S_68 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2839 | CKV_K8S_68 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2840 | CKV_K8S_69 | resource | CronJob | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2841 | CKV_K8S_69 | resource | DaemonSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2842 | CKV_K8S_69 | resource | Deployment | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2843 | CKV_K8S_69 | resource | DeploymentConfig | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2844 | CKV_K8S_69 | resource | Job | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2845 | CKV_K8S_69 | resource | Pod | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2846 | CKV_K8S_69 | resource | PodTemplate | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2847 | CKV_K8S_69 | resource | ReplicaSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2848 | CKV_K8S_69 | resource | ReplicationController | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2849 | CKV_K8S_69 | resource | StatefulSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2850 | CKV_K8S_70 | resource | CronJob | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2851 | CKV_K8S_70 | resource | DaemonSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2852 | CKV_K8S_70 | resource | Deployment | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2853 | CKV_K8S_70 | resource | DeploymentConfig | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2854 | CKV_K8S_70 | resource | Job | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2855 | CKV_K8S_70 | resource | Pod | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2856 | CKV_K8S_70 | resource | PodTemplate | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2857 | CKV_K8S_70 | resource | ReplicaSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2858 | CKV_K8S_70 | resource | ReplicationController | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2859 | CKV_K8S_70 | resource | StatefulSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2860 | CKV_K8S_71 | resource | CronJob | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2861 | CKV_K8S_71 | resource | DaemonSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2862 | CKV_K8S_71 | resource | Deployment | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2863 | CKV_K8S_71 | resource | DeploymentConfig | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2864 | CKV_K8S_71 | resource | Job | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2865 | CKV_K8S_71 | resource | Pod | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2866 | CKV_K8S_71 | resource | PodTemplate | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2867 | CKV_K8S_71 | resource | ReplicaSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2868 | CKV_K8S_71 | resource | ReplicationController | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2869 | CKV_K8S_71 | resource | StatefulSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2870 | CKV_K8S_72 | resource | CronJob | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2871 | CKV_K8S_72 | resource | DaemonSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2872 | CKV_K8S_72 | resource | Deployment | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2873 | CKV_K8S_72 | resource | DeploymentConfig | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2874 | CKV_K8S_72 | resource | Job | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2875 | CKV_K8S_72 | resource | Pod | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2876 | CKV_K8S_72 | resource | PodTemplate | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2877 | CKV_K8S_72 | resource | ReplicaSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2878 | CKV_K8S_72 | resource | ReplicationController | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2879 | CKV_K8S_72 | resource | StatefulSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2880 | CKV_K8S_73 | resource | CronJob | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2881 | CKV_K8S_73 | resource | DaemonSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2882 | CKV_K8S_73 | resource | Deployment | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2883 | CKV_K8S_73 | resource | DeploymentConfig | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2884 | CKV_K8S_73 | resource | Job | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2885 | CKV_K8S_73 | resource | Pod | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2886 | CKV_K8S_73 | resource | PodTemplate | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2887 | CKV_K8S_73 | resource | ReplicaSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2888 | CKV_K8S_73 | resource | ReplicationController | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2889 | CKV_K8S_73 | resource | StatefulSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2890 | CKV_K8S_74 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2891 | CKV_K8S_74 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2892 | CKV_K8S_74 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2893 | CKV_K8S_74 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2894 | CKV_K8S_74 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2895 | CKV_K8S_74 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2896 | CKV_K8S_74 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2897 | CKV_K8S_74 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2898 | CKV_K8S_74 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2899 | CKV_K8S_74 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2900 | CKV_K8S_75 | resource | CronJob | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2901 | CKV_K8S_75 | resource | DaemonSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2902 | CKV_K8S_75 | resource | Deployment | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2903 | CKV_K8S_75 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2904 | CKV_K8S_75 | resource | Job | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2905 | CKV_K8S_75 | resource | Pod | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2906 | CKV_K8S_75 | resource | PodTemplate | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2907 | CKV_K8S_75 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2908 | CKV_K8S_75 | resource | ReplicationController | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2909 | CKV_K8S_75 | resource | StatefulSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2910 | CKV_K8S_77 | resource | CronJob | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2911 | CKV_K8S_77 | resource | DaemonSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2912 | CKV_K8S_77 | resource | Deployment | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2913 | CKV_K8S_77 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2914 | CKV_K8S_77 | resource | Job | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2915 | CKV_K8S_77 | resource | Pod | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2916 | CKV_K8S_77 | resource | PodTemplate | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2917 | CKV_K8S_77 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2918 | CKV_K8S_77 | resource | ReplicationController | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2919 | CKV_K8S_77 | resource | StatefulSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2920 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | [ApiServerAdmissionControlEventRateLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlEventRateLimit.py) | -| 2921 | CKV_K8S_79 | resource | CronJob | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2922 | CKV_K8S_79 | resource | DaemonSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2923 | CKV_K8S_79 | resource | Deployment | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2924 | CKV_K8S_79 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2925 | CKV_K8S_79 | resource | Job | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2926 | CKV_K8S_79 | resource | Pod | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2927 | CKV_K8S_79 | resource | PodTemplate | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2928 | CKV_K8S_79 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2929 | CKV_K8S_79 | resource | ReplicationController | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2930 | CKV_K8S_79 | resource | StatefulSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2931 | CKV_K8S_80 | resource | CronJob | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2932 | CKV_K8S_80 | resource | DaemonSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2933 | CKV_K8S_80 | resource | Deployment | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2934 | CKV_K8S_80 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2935 | CKV_K8S_80 | resource | Job | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2936 | CKV_K8S_80 | resource | Pod | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2937 | CKV_K8S_80 | resource | PodTemplate | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2938 | CKV_K8S_80 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2939 | CKV_K8S_80 | resource | ReplicationController | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2940 | CKV_K8S_80 | resource | StatefulSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2941 | CKV_K8S_81 | resource | CronJob | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2942 | CKV_K8S_81 | resource | DaemonSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2943 | CKV_K8S_81 | resource | Deployment | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2944 | CKV_K8S_81 | resource | DeploymentConfig | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2945 | CKV_K8S_81 | resource | Job | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2946 | CKV_K8S_81 | resource | Pod | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2947 | CKV_K8S_81 | resource | PodTemplate | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2948 | CKV_K8S_81 | resource | ReplicaSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2949 | CKV_K8S_81 | resource | ReplicationController | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2950 | CKV_K8S_81 | resource | StatefulSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 2951 | CKV_K8S_82 | resource | CronJob | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2952 | CKV_K8S_82 | resource | DaemonSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2953 | CKV_K8S_82 | resource | Deployment | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2954 | CKV_K8S_82 | resource | DeploymentConfig | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2955 | CKV_K8S_82 | resource | Job | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2956 | CKV_K8S_82 | resource | Pod | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2957 | CKV_K8S_82 | resource | PodTemplate | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2958 | CKV_K8S_82 | resource | ReplicaSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2959 | CKV_K8S_82 | resource | ReplicationController | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2960 | CKV_K8S_82 | resource | StatefulSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 2961 | CKV_K8S_83 | resource | CronJob | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2962 | CKV_K8S_83 | resource | DaemonSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2963 | CKV_K8S_83 | resource | Deployment | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2964 | CKV_K8S_83 | resource | DeploymentConfig | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2965 | CKV_K8S_83 | resource | Job | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2966 | CKV_K8S_83 | resource | Pod | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2967 | CKV_K8S_83 | resource | PodTemplate | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2968 | CKV_K8S_83 | resource | ReplicaSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2969 | CKV_K8S_83 | resource | ReplicationController | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2970 | CKV_K8S_83 | resource | StatefulSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 2971 | CKV_K8S_84 | resource | CronJob | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2972 | CKV_K8S_84 | resource | DaemonSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2973 | CKV_K8S_84 | resource | Deployment | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2974 | CKV_K8S_84 | resource | DeploymentConfig | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2975 | CKV_K8S_84 | resource | Job | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2976 | CKV_K8S_84 | resource | Pod | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2977 | CKV_K8S_84 | resource | PodTemplate | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2978 | CKV_K8S_84 | resource | ReplicaSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2979 | CKV_K8S_84 | resource | ReplicationController | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2980 | CKV_K8S_84 | resource | StatefulSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 2981 | CKV_K8S_85 | resource | CronJob | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2982 | CKV_K8S_85 | resource | DaemonSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2983 | CKV_K8S_85 | resource | Deployment | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2984 | CKV_K8S_85 | resource | DeploymentConfig | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2985 | CKV_K8S_85 | resource | Job | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2986 | CKV_K8S_85 | resource | Pod | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2987 | CKV_K8S_85 | resource | PodTemplate | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2988 | CKV_K8S_85 | resource | ReplicaSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2989 | CKV_K8S_85 | resource | ReplicationController | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2990 | CKV_K8S_85 | resource | StatefulSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 2991 | CKV_K8S_86 | resource | CronJob | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2992 | CKV_K8S_86 | resource | DaemonSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2993 | CKV_K8S_86 | resource | Deployment | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2994 | CKV_K8S_86 | resource | DeploymentConfig | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2995 | CKV_K8S_86 | resource | Job | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2996 | CKV_K8S_86 | resource | Pod | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2997 | CKV_K8S_86 | resource | PodTemplate | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2998 | CKV_K8S_86 | resource | ReplicaSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 2999 | CKV_K8S_86 | resource | ReplicationController | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3000 | CKV_K8S_86 | resource | StatefulSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3001 | CKV_K8S_88 | resource | CronJob | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3002 | CKV_K8S_88 | resource | DaemonSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3003 | CKV_K8S_88 | resource | Deployment | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3004 | CKV_K8S_88 | resource | DeploymentConfig | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3005 | CKV_K8S_88 | resource | Job | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3006 | CKV_K8S_88 | resource | Pod | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3007 | CKV_K8S_88 | resource | PodTemplate | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3008 | CKV_K8S_88 | resource | ReplicaSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3009 | CKV_K8S_88 | resource | ReplicationController | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3010 | CKV_K8S_88 | resource | StatefulSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3011 | CKV_K8S_89 | resource | CronJob | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3012 | CKV_K8S_89 | resource | DaemonSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3013 | CKV_K8S_89 | resource | Deployment | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3014 | CKV_K8S_89 | resource | DeploymentConfig | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3015 | CKV_K8S_89 | resource | Job | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3016 | CKV_K8S_89 | resource | Pod | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3017 | CKV_K8S_89 | resource | PodTemplate | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3018 | CKV_K8S_89 | resource | ReplicaSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3019 | CKV_K8S_89 | resource | ReplicationController | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3020 | CKV_K8S_89 | resource | StatefulSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3021 | CKV_K8S_90 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3022 | CKV_K8S_90 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3023 | CKV_K8S_90 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3024 | CKV_K8S_90 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3025 | CKV_K8S_90 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3026 | CKV_K8S_90 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3027 | CKV_K8S_90 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3028 | CKV_K8S_90 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3029 | CKV_K8S_90 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3030 | CKV_K8S_90 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3031 | CKV_K8S_91 | resource | CronJob | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3032 | CKV_K8S_91 | resource | DaemonSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3033 | CKV_K8S_91 | resource | Deployment | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3034 | CKV_K8S_91 | resource | DeploymentConfig | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3035 | CKV_K8S_91 | resource | Job | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3036 | CKV_K8S_91 | resource | Pod | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3037 | CKV_K8S_91 | resource | PodTemplate | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3038 | CKV_K8S_91 | resource | ReplicaSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3039 | CKV_K8S_91 | resource | ReplicationController | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3040 | CKV_K8S_91 | resource | StatefulSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3041 | CKV_K8S_92 | resource | CronJob | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3042 | CKV_K8S_92 | resource | DaemonSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3043 | CKV_K8S_92 | resource | Deployment | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3044 | CKV_K8S_92 | resource | DeploymentConfig | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3045 | CKV_K8S_92 | resource | Job | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3046 | CKV_K8S_92 | resource | Pod | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3047 | CKV_K8S_92 | resource | PodTemplate | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3048 | CKV_K8S_92 | resource | ReplicaSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3049 | CKV_K8S_92 | resource | ReplicationController | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3050 | CKV_K8S_92 | resource | StatefulSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3051 | CKV_K8S_93 | resource | CronJob | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3052 | CKV_K8S_93 | resource | DaemonSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3053 | CKV_K8S_93 | resource | Deployment | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3054 | CKV_K8S_93 | resource | DeploymentConfig | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3055 | CKV_K8S_93 | resource | Job | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3056 | CKV_K8S_93 | resource | Pod | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3057 | CKV_K8S_93 | resource | PodTemplate | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3058 | CKV_K8S_93 | resource | ReplicaSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3059 | CKV_K8S_93 | resource | ReplicationController | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3060 | CKV_K8S_93 | resource | StatefulSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3061 | CKV_K8S_94 | resource | CronJob | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3062 | CKV_K8S_94 | resource | DaemonSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3063 | CKV_K8S_94 | resource | Deployment | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3064 | CKV_K8S_94 | resource | DeploymentConfig | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3065 | CKV_K8S_94 | resource | Job | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3066 | CKV_K8S_94 | resource | Pod | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3067 | CKV_K8S_94 | resource | PodTemplate | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3068 | CKV_K8S_94 | resource | ReplicaSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3069 | CKV_K8S_94 | resource | ReplicationController | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3070 | CKV_K8S_94 | resource | StatefulSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3071 | CKV_K8S_95 | resource | CronJob | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3072 | CKV_K8S_95 | resource | DaemonSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3073 | CKV_K8S_95 | resource | Deployment | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3074 | CKV_K8S_95 | resource | DeploymentConfig | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3075 | CKV_K8S_95 | resource | Job | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3076 | CKV_K8S_95 | resource | Pod | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3077 | CKV_K8S_95 | resource | PodTemplate | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3078 | CKV_K8S_95 | resource | ReplicaSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3079 | CKV_K8S_95 | resource | ReplicationController | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3080 | CKV_K8S_95 | resource | StatefulSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3081 | CKV_K8S_96 | resource | CronJob | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3082 | CKV_K8S_96 | resource | DaemonSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3083 | CKV_K8S_96 | resource | Deployment | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3084 | CKV_K8S_96 | resource | DeploymentConfig | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3085 | CKV_K8S_96 | resource | Job | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3086 | CKV_K8S_96 | resource | Pod | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3087 | CKV_K8S_96 | resource | PodTemplate | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3088 | CKV_K8S_96 | resource | ReplicaSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3089 | CKV_K8S_96 | resource | ReplicationController | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3090 | CKV_K8S_96 | resource | StatefulSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3091 | CKV_K8S_97 | resource | CronJob | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3092 | CKV_K8S_97 | resource | DaemonSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3093 | CKV_K8S_97 | resource | Deployment | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3094 | CKV_K8S_97 | resource | DeploymentConfig | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3095 | CKV_K8S_97 | resource | Job | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3096 | CKV_K8S_97 | resource | Pod | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3097 | CKV_K8S_97 | resource | PodTemplate | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3098 | CKV_K8S_97 | resource | ReplicaSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3099 | CKV_K8S_97 | resource | ReplicationController | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3100 | CKV_K8S_97 | resource | StatefulSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3101 | CKV_K8S_99 | resource | CronJob | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3102 | CKV_K8S_99 | resource | DaemonSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3103 | CKV_K8S_99 | resource | Deployment | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3104 | CKV_K8S_99 | resource | DeploymentConfig | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3105 | CKV_K8S_99 | resource | Job | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3106 | CKV_K8S_99 | resource | Pod | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3107 | CKV_K8S_99 | resource | PodTemplate | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3108 | CKV_K8S_99 | resource | ReplicaSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3109 | CKV_K8S_99 | resource | ReplicationController | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3110 | CKV_K8S_99 | resource | StatefulSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3111 | CKV_K8S_100 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3112 | CKV_K8S_100 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3113 | CKV_K8S_100 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3114 | CKV_K8S_100 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3115 | CKV_K8S_100 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3116 | CKV_K8S_100 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3117 | CKV_K8S_100 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3118 | CKV_K8S_100 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3119 | CKV_K8S_100 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3120 | CKV_K8S_100 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3121 | CKV_K8S_102 | resource | CronJob | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3122 | CKV_K8S_102 | resource | DaemonSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3123 | CKV_K8S_102 | resource | Deployment | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3124 | CKV_K8S_102 | resource | DeploymentConfig | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3125 | CKV_K8S_102 | resource | Job | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3126 | CKV_K8S_102 | resource | Pod | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3127 | CKV_K8S_102 | resource | PodTemplate | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3128 | CKV_K8S_102 | resource | ReplicaSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3129 | CKV_K8S_102 | resource | ReplicationController | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3130 | CKV_K8S_102 | resource | StatefulSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3131 | CKV_K8S_104 | resource | CronJob | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3132 | CKV_K8S_104 | resource | DaemonSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3133 | CKV_K8S_104 | resource | Deployment | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3134 | CKV_K8S_104 | resource | DeploymentConfig | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3135 | CKV_K8S_104 | resource | Job | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3136 | CKV_K8S_104 | resource | Pod | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3137 | CKV_K8S_104 | resource | PodTemplate | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3138 | CKV_K8S_104 | resource | ReplicaSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3139 | CKV_K8S_104 | resource | ReplicationController | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3140 | CKV_K8S_104 | resource | StatefulSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3141 | CKV_K8S_105 | resource | CronJob | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3142 | CKV_K8S_105 | resource | DaemonSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3143 | CKV_K8S_105 | resource | Deployment | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3144 | CKV_K8S_105 | resource | DeploymentConfig | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3145 | CKV_K8S_105 | resource | Job | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3146 | CKV_K8S_105 | resource | Pod | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3147 | CKV_K8S_105 | resource | PodTemplate | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3148 | CKV_K8S_105 | resource | ReplicaSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3149 | CKV_K8S_105 | resource | ReplicationController | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3150 | CKV_K8S_105 | resource | StatefulSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3151 | CKV_K8S_106 | resource | CronJob | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3152 | CKV_K8S_106 | resource | DaemonSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3153 | CKV_K8S_106 | resource | Deployment | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3154 | CKV_K8S_106 | resource | DeploymentConfig | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3155 | CKV_K8S_106 | resource | Job | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3156 | CKV_K8S_106 | resource | Pod | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3157 | CKV_K8S_106 | resource | PodTemplate | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3158 | CKV_K8S_106 | resource | ReplicaSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3159 | CKV_K8S_106 | resource | ReplicationController | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3160 | CKV_K8S_106 | resource | StatefulSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3161 | CKV_K8S_107 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3162 | CKV_K8S_107 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3163 | CKV_K8S_107 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3164 | CKV_K8S_107 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3165 | CKV_K8S_107 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3166 | CKV_K8S_107 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3167 | CKV_K8S_107 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3168 | CKV_K8S_107 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3169 | CKV_K8S_107 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3170 | CKV_K8S_107 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3171 | CKV_K8S_108 | resource | CronJob | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3172 | CKV_K8S_108 | resource | DaemonSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3173 | CKV_K8S_108 | resource | Deployment | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3174 | CKV_K8S_108 | resource | DeploymentConfig | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3175 | CKV_K8S_108 | resource | Job | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3176 | CKV_K8S_108 | resource | Pod | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3177 | CKV_K8S_108 | resource | PodTemplate | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3178 | CKV_K8S_108 | resource | ReplicaSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3179 | CKV_K8S_108 | resource | ReplicationController | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3180 | CKV_K8S_108 | resource | StatefulSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3181 | CKV_K8S_110 | resource | CronJob | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3182 | CKV_K8S_110 | resource | DaemonSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3183 | CKV_K8S_110 | resource | Deployment | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3184 | CKV_K8S_110 | resource | DeploymentConfig | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3185 | CKV_K8S_110 | resource | Job | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3186 | CKV_K8S_110 | resource | Pod | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3187 | CKV_K8S_110 | resource | PodTemplate | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3188 | CKV_K8S_110 | resource | ReplicaSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3189 | CKV_K8S_110 | resource | ReplicationController | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3190 | CKV_K8S_110 | resource | StatefulSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3191 | CKV_K8S_111 | resource | CronJob | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3192 | CKV_K8S_111 | resource | DaemonSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3193 | CKV_K8S_111 | resource | Deployment | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3194 | CKV_K8S_111 | resource | DeploymentConfig | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3195 | CKV_K8S_111 | resource | Job | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3196 | CKV_K8S_111 | resource | Pod | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3197 | CKV_K8S_111 | resource | PodTemplate | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3198 | CKV_K8S_111 | resource | ReplicaSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3199 | CKV_K8S_111 | resource | ReplicationController | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3200 | CKV_K8S_111 | resource | StatefulSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3201 | CKV_K8S_112 | resource | CronJob | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3202 | CKV_K8S_112 | resource | DaemonSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3203 | CKV_K8S_112 | resource | Deployment | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3204 | CKV_K8S_112 | resource | DeploymentConfig | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3205 | CKV_K8S_112 | resource | Job | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3206 | CKV_K8S_112 | resource | Pod | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3207 | CKV_K8S_112 | resource | PodTemplate | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3208 | CKV_K8S_112 | resource | ReplicaSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3209 | CKV_K8S_112 | resource | ReplicationController | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3210 | CKV_K8S_112 | resource | StatefulSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3211 | CKV_K8S_113 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3212 | CKV_K8S_113 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3213 | CKV_K8S_113 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3214 | CKV_K8S_113 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3215 | CKV_K8S_113 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3216 | CKV_K8S_113 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3217 | CKV_K8S_113 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3218 | CKV_K8S_113 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3219 | CKV_K8S_113 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3220 | CKV_K8S_113 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3221 | CKV_K8S_114 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3222 | CKV_K8S_114 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3223 | CKV_K8S_114 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3224 | CKV_K8S_114 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3225 | CKV_K8S_114 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3226 | CKV_K8S_114 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3227 | CKV_K8S_114 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3228 | CKV_K8S_114 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3229 | CKV_K8S_114 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3230 | CKV_K8S_114 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3231 | CKV_K8S_115 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3232 | CKV_K8S_115 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3233 | CKV_K8S_115 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3234 | CKV_K8S_115 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3235 | CKV_K8S_115 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3236 | CKV_K8S_115 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3237 | CKV_K8S_115 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3238 | CKV_K8S_115 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3239 | CKV_K8S_115 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3240 | CKV_K8S_115 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3241 | CKV_K8S_116 | resource | CronJob | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3242 | CKV_K8S_116 | resource | DaemonSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3243 | CKV_K8S_116 | resource | Deployment | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3244 | CKV_K8S_116 | resource | DeploymentConfig | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3245 | CKV_K8S_116 | resource | Job | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3246 | CKV_K8S_116 | resource | Pod | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3247 | CKV_K8S_116 | resource | PodTemplate | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3248 | CKV_K8S_116 | resource | ReplicaSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3249 | CKV_K8S_116 | resource | ReplicationController | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3250 | CKV_K8S_116 | resource | StatefulSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3251 | CKV_K8S_117 | resource | CronJob | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3252 | CKV_K8S_117 | resource | DaemonSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3253 | CKV_K8S_117 | resource | Deployment | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3254 | CKV_K8S_117 | resource | DeploymentConfig | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3255 | CKV_K8S_117 | resource | Job | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3256 | CKV_K8S_117 | resource | Pod | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3257 | CKV_K8S_117 | resource | PodTemplate | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3258 | CKV_K8S_117 | resource | ReplicaSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3259 | CKV_K8S_117 | resource | ReplicationController | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3260 | CKV_K8S_117 | resource | StatefulSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3261 | CKV_K8S_118 | resource | CronJob | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3262 | CKV_K8S_118 | resource | DaemonSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3263 | CKV_K8S_118 | resource | Deployment | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3264 | CKV_K8S_118 | resource | DeploymentConfig | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3265 | CKV_K8S_118 | resource | Job | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3266 | CKV_K8S_118 | resource | Pod | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3267 | CKV_K8S_118 | resource | PodTemplate | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3268 | CKV_K8S_118 | resource | ReplicaSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3269 | CKV_K8S_118 | resource | ReplicationController | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3270 | CKV_K8S_118 | resource | StatefulSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3271 | CKV_K8S_119 | resource | CronJob | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3272 | CKV_K8S_119 | resource | DaemonSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3273 | CKV_K8S_119 | resource | Deployment | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3274 | CKV_K8S_119 | resource | DeploymentConfig | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3275 | CKV_K8S_119 | resource | Job | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3276 | CKV_K8S_119 | resource | Pod | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3277 | CKV_K8S_119 | resource | PodTemplate | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3278 | CKV_K8S_119 | resource | ReplicaSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3279 | CKV_K8S_119 | resource | ReplicationController | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3280 | CKV_K8S_119 | resource | StatefulSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3281 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | [PeerClientCertAuthTrue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py) | -| 3282 | CKV_K8S_138 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3283 | CKV_K8S_138 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3284 | CKV_K8S_138 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3285 | CKV_K8S_138 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3286 | CKV_K8S_138 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3287 | CKV_K8S_138 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3288 | CKV_K8S_138 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3289 | CKV_K8S_138 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3290 | CKV_K8S_138 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3291 | CKV_K8S_138 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3292 | CKV_K8S_139 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3293 | CKV_K8S_139 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3294 | CKV_K8S_139 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3295 | CKV_K8S_139 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3296 | CKV_K8S_139 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3297 | CKV_K8S_139 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3298 | CKV_K8S_139 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3299 | CKV_K8S_139 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3300 | CKV_K8S_139 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3301 | CKV_K8S_139 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3302 | CKV_K8S_140 | resource | CronJob | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3303 | CKV_K8S_140 | resource | DaemonSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3304 | CKV_K8S_140 | resource | Deployment | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3305 | CKV_K8S_140 | resource | DeploymentConfig | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3306 | CKV_K8S_140 | resource | Job | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3307 | CKV_K8S_140 | resource | Pod | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3308 | CKV_K8S_140 | resource | PodTemplate | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3309 | CKV_K8S_140 | resource | ReplicaSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3310 | CKV_K8S_140 | resource | ReplicationController | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3311 | CKV_K8S_140 | resource | StatefulSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3312 | CKV_K8S_141 | resource | CronJob | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3313 | CKV_K8S_141 | resource | DaemonSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3314 | CKV_K8S_141 | resource | Deployment | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3315 | CKV_K8S_141 | resource | DeploymentConfig | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3316 | CKV_K8S_141 | resource | Job | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3317 | CKV_K8S_141 | resource | Pod | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3318 | CKV_K8S_141 | resource | PodTemplate | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3319 | CKV_K8S_141 | resource | ReplicaSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3320 | CKV_K8S_141 | resource | ReplicationController | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3321 | CKV_K8S_141 | resource | StatefulSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3322 | CKV_K8S_143 | resource | CronJob | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3323 | CKV_K8S_143 | resource | DaemonSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3324 | CKV_K8S_143 | resource | Deployment | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3325 | CKV_K8S_143 | resource | DeploymentConfig | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3326 | CKV_K8S_143 | resource | Job | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3327 | CKV_K8S_143 | resource | Pod | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3328 | CKV_K8S_143 | resource | PodTemplate | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3329 | CKV_K8S_143 | resource | ReplicaSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3330 | CKV_K8S_143 | resource | ReplicationController | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3331 | CKV_K8S_143 | resource | StatefulSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3332 | CKV_K8S_144 | resource | CronJob | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3333 | CKV_K8S_144 | resource | DaemonSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3334 | CKV_K8S_144 | resource | Deployment | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3335 | CKV_K8S_144 | resource | DeploymentConfig | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3336 | CKV_K8S_144 | resource | Job | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3337 | CKV_K8S_144 | resource | Pod | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3338 | CKV_K8S_144 | resource | PodTemplate | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3339 | CKV_K8S_144 | resource | ReplicaSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3340 | CKV_K8S_144 | resource | ReplicationController | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3341 | CKV_K8S_144 | resource | StatefulSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3342 | CKV_K8S_145 | resource | CronJob | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3343 | CKV_K8S_145 | resource | DaemonSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3344 | CKV_K8S_145 | resource | Deployment | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3345 | CKV_K8S_145 | resource | DeploymentConfig | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3346 | CKV_K8S_145 | resource | Job | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3347 | CKV_K8S_145 | resource | Pod | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3348 | CKV_K8S_145 | resource | PodTemplate | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3349 | CKV_K8S_145 | resource | ReplicaSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3350 | CKV_K8S_145 | resource | ReplicationController | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3351 | CKV_K8S_145 | resource | StatefulSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3352 | CKV_K8S_146 | resource | CronJob | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3353 | CKV_K8S_146 | resource | DaemonSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3354 | CKV_K8S_146 | resource | Deployment | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3355 | CKV_K8S_146 | resource | DeploymentConfig | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3356 | CKV_K8S_146 | resource | Job | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3357 | CKV_K8S_146 | resource | Pod | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3358 | CKV_K8S_146 | resource | PodTemplate | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3359 | CKV_K8S_146 | resource | ReplicaSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3360 | CKV_K8S_146 | resource | ReplicationController | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3361 | CKV_K8S_146 | resource | StatefulSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3362 | CKV_K8S_147 | resource | CronJob | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3363 | CKV_K8S_147 | resource | DaemonSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3364 | CKV_K8S_147 | resource | Deployment | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3365 | CKV_K8S_147 | resource | DeploymentConfig | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3366 | CKV_K8S_147 | resource | Job | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3367 | CKV_K8S_147 | resource | Pod | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3368 | CKV_K8S_147 | resource | PodTemplate | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3369 | CKV_K8S_147 | resource | ReplicaSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3370 | CKV_K8S_147 | resource | ReplicationController | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3371 | CKV_K8S_147 | resource | StatefulSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3372 | CKV_K8S_148 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3373 | CKV_K8S_148 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3374 | CKV_K8S_148 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3375 | CKV_K8S_148 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3376 | CKV_K8S_148 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3377 | CKV_K8S_148 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3378 | CKV_K8S_148 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3379 | CKV_K8S_148 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3380 | CKV_K8S_148 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3381 | CKV_K8S_148 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3382 | CKV_K8S_149 | resource | CronJob | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3383 | CKV_K8S_149 | resource | DaemonSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3384 | CKV_K8S_149 | resource | Deployment | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3385 | CKV_K8S_149 | resource | DeploymentConfig | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3386 | CKV_K8S_149 | resource | Job | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3387 | CKV_K8S_149 | resource | Pod | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3388 | CKV_K8S_149 | resource | PodTemplate | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3389 | CKV_K8S_149 | resource | ReplicaSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3390 | CKV_K8S_149 | resource | ReplicationController | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3391 | CKV_K8S_149 | resource | StatefulSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3392 | CKV_K8S_151 | resource | CronJob | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3393 | CKV_K8S_151 | resource | DaemonSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3394 | CKV_K8S_151 | resource | Deployment | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3395 | CKV_K8S_151 | resource | DeploymentConfig | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3396 | CKV_K8S_151 | resource | Job | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3397 | CKV_K8S_151 | resource | Pod | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3398 | CKV_K8S_151 | resource | PodTemplate | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3399 | CKV_K8S_151 | resource | ReplicaSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3400 | CKV_K8S_151 | resource | ReplicationController | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3401 | CKV_K8S_151 | resource | StatefulSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3402 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Lua.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py) | -| 3403 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742AllSnippets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py) | -| 3404 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Alias.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py) | -| 3405 | CKV_K8S_155 | resource | ClusterRole | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | Kubernetes | [RbacControlWebhooks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py) | -| 3406 | CKV_K8S_156 | resource | ClusterRole | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | Kubernetes | [RbacApproveCertificateSigningRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py) | -| 3407 | CKV_K8S_157 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | -| 3408 | CKV_K8S_157 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | -| 3409 | CKV_K8S_158 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | -| 3410 | CKV_K8S_158 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | -| 3411 | CKV2_K8S_1 | resource | ClusterRole | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3412 | CKV2_K8S_1 | resource | ClusterRoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3413 | CKV2_K8S_1 | resource | Role | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3414 | CKV2_K8S_1 | resource | RoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3415 | CKV2_K8S_2 | resource | ClusterRole | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3416 | CKV2_K8S_2 | resource | ClusterRoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3417 | CKV2_K8S_2 | resource | Role | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3418 | CKV2_K8S_2 | resource | RoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3419 | CKV2_K8S_3 | resource | ClusterRole | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3420 | CKV2_K8S_3 | resource | ClusterRoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3421 | CKV2_K8S_3 | resource | Role | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3422 | CKV2_K8S_3 | resource | RoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3423 | CKV2_K8S_4 | resource | ClusterRole | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3424 | CKV2_K8S_4 | resource | ClusterRoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3425 | CKV2_K8S_4 | resource | Role | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3426 | CKV2_K8S_4 | resource | RoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3427 | CKV2_K8S_5 | resource | ClusterRole | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3428 | CKV2_K8S_5 | resource | ClusterRoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3429 | CKV2_K8S_5 | resource | Role | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3430 | CKV2_K8S_5 | resource | RoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3431 | CKV2_K8S_6 | resource | Deployment | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | -| 3432 | CKV2_K8S_6 | resource | Pod | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | -| 3433 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | -| 3434 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | -| 3435 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | -| 3436 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | -| 3437 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | -| 3438 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | -| 3439 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | -| 3440 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 3441 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 3442 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | -| 3443 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | -| 3444 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | -| 3445 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | -| 3446 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | -| 3447 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | -| 3448 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | -| 3449 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | -| 3450 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | -| 3451 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | -| 3452 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | -| 3453 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | -| 3454 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | -| 3455 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | -| 3456 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 3457 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 3458 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | -| 3459 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | -| 3460 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | -| 3461 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 3462 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 3463 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | -| 3464 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | -| 3465 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | -| 3466 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | -| 3467 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | -| 3468 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | -| 3469 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | -| 3470 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | -| 3471 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | -| 3472 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | -| 3473 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | -| 3474 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | -| 3475 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | -| 3476 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | -| 3477 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | -| 3478 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | -| 3479 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | -| 3480 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | -| 3481 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | -| 3482 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | -| 3483 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | -| 3484 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | -| 3485 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | -| 3486 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | -| 3487 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | -| 3488 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | -| 3489 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3490 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3491 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3492 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | -| 3493 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | -| 3494 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | -| 3495 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | -| 3496 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | -| 3497 | CKV_OPENAPI_1 | resource | securityDefinitions | Ensure that securityDefinitions is defined and not empty - version 2.0 files | OpenAPI | [SecurityDefinitions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitions.py) | -| 3498 | CKV_OPENAPI_2 | resource | security | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files | OpenAPI | [Oauth2SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityRequirement.py) | -| 3499 | CKV_OPENAPI_3 | resource | components | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files | OpenAPI | [CleartextOverUnencryptedChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py) | -| 3500 | CKV_OPENAPI_4 | resource | security | Ensure that the global security field has rules defined | OpenAPI | [GlobalSecurityFieldIsEmpty.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/GlobalSecurityFieldIsEmpty.py) | -| 3501 | CKV_OPENAPI_5 | resource | security | Ensure that security operations is not empty. | OpenAPI | [SecurityOperations.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/SecurityOperations.py) | -| 3502 | CKV_OPENAPI_6 | resource | security | Ensure that security requirement defined in securityDefinitions - version 2.0 files | OpenAPI | [SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityRequirement.py) | -| 3503 | CKV_OPENAPI_7 | resource | security | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files | OpenAPI | [PathSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/PathSchemeDefineHTTP.py) | -| 3504 | CKV_OPENAPI_8 | resource | security | Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityPasswordFlow.py) | -| 3505 | CKV_OPENAPI_9 | resource | paths | Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files | OpenAPI | [OperationObjectSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py) | -| 3506 | CKV_OPENAPI_10 | resource | paths | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2OperationObjectPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2OperationObjectPasswordFlow.py) | -| 3507 | CKV_OPENAPI_11 | resource | securityDefinitions | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionPasswordFlow.py) | -| 3508 | CKV_OPENAPI_12 | resource | securityDefinitions | Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionImplicitFlow.py) | -| 3509 | CKV_OPENAPI_13 | resource | securityDefinitions | Ensure security definitions do not use basic auth - version 2.0 files | OpenAPI | [SecurityDefinitionBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitionBasicAuth.py) | -| 3510 | CKV_OPENAPI_14 | resource | paths | Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files | OpenAPI | [OperationObjectImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectImplicitFlow.py) | -| 3511 | CKV_OPENAPI_15 | resource | paths | Ensure that operation objects do not use basic auth - version 2.0 files | OpenAPI | [OperationObjectBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectBasicAuth.py) | -| 3512 | CKV_OPENAPI_16 | resource | paths | Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files | OpenAPI | [OperationObjectProducesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectProducesUndefined.py) | -| 3513 | CKV_OPENAPI_17 | resource | paths | Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files | OpenAPI | [OperationObjectConsumesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectConsumesUndefined.py) | -| 3514 | CKV_OPENAPI_18 | resource | schemes | Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files | OpenAPI | [GlobalSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSchemeDefineHTTP.py) | -| 3515 | CKV_OPENAPI_19 | resource | security | Ensure that global security scope is defined in securityDefinitions - version 2.0 files | OpenAPI | [GlobalSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSecurityScopeUndefined.py) | -| 3516 | CKV_OPENAPI_20 | resource | paths | Ensure that API keys are not sent over cleartext | OpenAPI | [ClearTextAPIKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py) | -| 3517 | CKV_OPENAPI_21 | resource | paths | Ensure that arrays have a maximum number of items | OpenAPI | [NoMaximumNumberItems.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/NoMaximumNumberItems.py) | -| 3518 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | -| 3519 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 3520 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 3521 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 3522 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 3523 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | -| 3524 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | -| 3525 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | -| 3526 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | -| 3527 | CKV_PAN_2 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoHTTP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml) | -| 3528 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | -| 3529 | CKV_PAN_3 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoTelnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml) | -| 3530 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 3531 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 3532 | CKV_PAN_4 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure DSRI is not enabled within security policies | Ansible | [PanosPolicyNoDSRI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml) | -| 3533 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 3534 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 3535 | CKV_PAN_5 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'application' set to 'any' | Ansible | [PanosPolicyNoApplicationAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml) | -| 3536 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 3537 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 3538 | CKV_PAN_6 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'service' set to 'any' | Ansible | [PanosPolicyNoServiceAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml) | -| 3539 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 3540 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 3541 | CKV_PAN_7 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any' | Ansible | [PanosPolicyNoSrcAnyDstAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml) | -| 3542 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 3543 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 3544 | CKV_PAN_8 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure description is populated within security policies | Ansible | [PanosPolicyDescription.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml) | -| 3545 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 3546 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 3547 | CKV_PAN_9 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure a Log Forwarding Profile is selected for each security policy rule | Ansible | [PanosPolicyLogForwarding.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml) | -| 3548 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 3549 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 3550 | CKV_PAN_10 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure logging at session end is enabled within security policies | Ansible | [PanosPolicyLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml) | -| 3551 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 3552 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 3553 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 3554 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 3555 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 3556 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 3557 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3558 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3559 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3560 | CKV_PAN_14 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Ansible | [PanosZoneProtectionProfile.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml) | -| 3561 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 3562 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 3563 | CKV_PAN_15 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Ansible | [PanosZoneUserIDIncludeACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml) | -| 3564 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3565 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3566 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3567 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3568 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3569 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3570 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3571 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3572 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3573 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3574 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3575 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3576 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3577 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3578 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3579 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3580 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3581 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3582 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | -| 3583 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3584 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3585 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3586 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3587 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3588 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3589 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3590 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3591 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3592 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | -| 3593 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | -| 3594 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | -| 3595 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | -| 3596 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | -| 3597 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | -| 3598 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | -| 3599 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | -| 3600 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | -| 3601 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | -| 3602 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3603 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3604 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3605 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3606 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3607 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3608 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3609 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3610 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 3611 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 3612 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | -| 3613 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | -| 3614 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | -| 3615 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | -| 3616 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | -| 3617 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | -| 3618 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | -| 3619 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 3620 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 3621 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | -| 3622 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 3623 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 3624 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3625 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3626 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3627 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3628 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3629 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 1886 | CKV_AZURE_153 | resource | azurerm_linux_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1887 | CKV_AZURE_153 | resource | azurerm_windows_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1888 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | +| 1889 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | +| 1890 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | +| 1891 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | +| 1892 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace is not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | +| 1893 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1894 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1895 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1896 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1897 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1898 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1899 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1900 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1901 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | +| 1902 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | +| 1903 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | +| 1904 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | +| 1905 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | +| 1906 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | +| 1907 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | +| 1908 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1909 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1910 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | +| 1911 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | +| 1912 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | +| 1913 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | +| 1914 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | +| 1915 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | +| 1916 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | +| 1917 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | +| 1918 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1919 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1920 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1921 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1922 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1923 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1924 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1925 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1926 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | +| 1927 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | +| 1928 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1929 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1930 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | +| 1931 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | +| 1932 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | +| 1933 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | +| 1934 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | +| 1935 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | +| 1936 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | +| 1937 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | +| 1938 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | +| 1939 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | +| 1940 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | +| 1941 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | +| 1942 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | +| 1943 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | +| 1944 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | +| 1945 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | +| 1946 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | +| 1947 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | +| 1948 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | +| 1949 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | +| 1950 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | +| 1951 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | +| 1952 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | +| 1953 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | +| 1954 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | +| 1955 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | +| 1956 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | +| 1957 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | +| 1958 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | +| 1959 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | +| 1960 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1961 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1962 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1963 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1964 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1965 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | +| 1966 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 1967 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 1968 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | +| 1969 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | +| 1970 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | +| 1971 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | +| 1972 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | +| 1973 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1974 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1975 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1976 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1977 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1978 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1979 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | +| 1980 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | +| 1981 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | +| 1982 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | +| 1983 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1984 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1985 | CKV_AZURE_228 | resource | azurerm_eventhub_namespace | Ensure the Azure Event Hub Namespace is zone redundant | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py) | +| 1986 | CKV_AZURE_229 | resource | azurerm_mssql_database | Ensure the Azure SQL Database Namespace is zone redundant | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py) | +| 1987 | CKV_AZURE_230 | resource | azurerm_redis_cache | Standard Replication should be enabled | Terraform | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py) | +| 1988 | CKV_AZURE_231 | resource | azurerm_app_service_environment_v3 | Ensure App Service Environment is zone redundant | Terraform | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py) | +| 1989 | CKV_AZURE_232 | resource | azurerm_kubernetes_cluster | Ensure that only critical system pods run on system nodes | Terraform | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py) | +| 1990 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | +| 1991 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1992 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1993 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1994 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1995 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1996 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1997 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1998 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1999 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 2000 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 2001 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 2002 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 2003 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 2004 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 2005 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 2006 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 2007 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | +| 2008 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 2009 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 2010 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 2011 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | +| 2012 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 2013 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 2014 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | +| 2015 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | +| 2016 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 2017 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 2018 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 2019 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 2020 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | +| 2021 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 2022 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 2023 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 2024 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 2025 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | +| 2026 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2027 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2028 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2029 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2030 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2031 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2032 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 2033 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 2034 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | +| 2035 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | +| 2036 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | +| 2037 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | +| 2038 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | +| 2039 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | arm | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| 2040 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| 2041 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | +| 2042 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | +| 2043 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | +| 2044 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | +| 2045 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | +| 2046 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | +| 2047 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | +| 2048 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | +| 2049 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | +| 2050 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | +| 2051 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | +| 2052 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | +| 2053 | CKV2_AZURE_39 | resource | azurerm_linux_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 2054 | CKV2_AZURE_39 | resource | azurerm_network_interface | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 2055 | CKV2_AZURE_39 | resource | azurerm_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 2056 | CKV2_AZURE_39 | resource | azurerm_windows_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 2057 | CKV2_AZURE_40 | resource | azurerm_storage_account | Ensure storage account is not configured with Shared Key authorization | Terraform | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml) | +| 2058 | CKV2_AZURE_41 | resource | azurerm_storage_account | Ensure storage account is configured with SAS expiration policy | Terraform | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml) | +| 2059 | CKV_AZUREPIPELINES_1 | azure_pipelines | jobs | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | +| 2060 | CKV_AZUREPIPELINES_1 | azure_pipelines | stages[].jobs[] | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | +| 2061 | CKV_AZUREPIPELINES_2 | azure_pipelines | jobs | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | +| 2062 | CKV_AZUREPIPELINES_2 | azure_pipelines | stages[].jobs[] | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | +| 2063 | CKV_AZUREPIPELINES_3 | azure_pipelines | jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | +| 2064 | CKV_AZUREPIPELINES_3 | azure_pipelines | stages[].jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | +| 2065 | CKV_AZUREPIPELINES_5 | azure_pipelines | *.container[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2066 | CKV_AZUREPIPELINES_5 | azure_pipelines | jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2067 | CKV_AZUREPIPELINES_5 | azure_pipelines | stages[].jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2068 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | +| 2069 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket/checks/merge_requests_approvals.py) | +| 2070 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | [{image:image,__startline__:__startline__,__endline__:__endline__}] | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2071 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2072 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2073 | CKV_CIRCLECIPIPELINES_1 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | circleci_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/latest_image.py) | +| 2074 | CKV_CIRCLECIPIPELINES_2 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image version is referenced via hash not arbitrary tag. | circleci_pipelines | [image_version_not_hash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/image_version_not_hash.py) | +| 2075 | CKV_CIRCLECIPIPELINES_3 | circleci_pipelines | orbs.{orbs: @} | Ensure mutable development orbs are not used. | circleci_pipelines | [prevent_development_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_development_orbs.py) | +| 2076 | CKV_CIRCLECIPIPELINES_4 | circleci_pipelines | orbs.{orbs: @} | Ensure unversioned volatile orbs are not used. | circleci_pipelines | [prevent_volatile_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_volatile_orbs.py) | +| 2077 | CKV_CIRCLECIPIPELINES_5 | circleci_pipelines | jobs.*.steps[] | Suspicious use of netcat with IP address | circleci_pipelines | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ReverseShellNetcat.py) | +| 2078 | CKV_CIRCLECIPIPELINES_6 | circleci_pipelines | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | circleci_pipelines | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ShellInjection.py) | +| 2079 | CKV_CIRCLECIPIPELINES_7 | circleci_pipelines | jobs.*.steps[] | Suspicious use of curl in run task | circleci_pipelines | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/SuspectCurlInScript.py) | +| 2080 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | +| 2081 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | +| 2082 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | +| 2083 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | +| 2084 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | +| 2085 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | +| 2086 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | [ExposePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ExposePort22.py) | +| 2087 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | [HealthcheckExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/HealthcheckExists.py) | +| 2088 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | [UserExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UserExists.py) | +| 2089 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | [AddExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AddExists.py) | +| 2090 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | [UpdateNotAlone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UpdateNotAlone.py) | +| 2091 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | [MaintainerExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/MaintainerExists.py) | +| 2092 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | [ReferenceLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ReferenceLatestTag.py) | +| 2093 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | [RootUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RootUser.py) | +| 2094 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile | [RunUsingAPT.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py) | +| 2095 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile | [WorkdirIsAbsolute.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/WorkdirIsAbsolute.py) | +| 2096 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile | [AliasIsUnique.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AliasIsUnique.py) | +| 2097 | CKV2_DOCKER_1 | resource | RUN | Ensure that sudo isn't used | dockerfile | [RunUsingSudo.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUsingSudo.yaml) | +| 2098 | CKV2_DOCKER_2 | resource | RUN | Ensure that certificate validation isn't disabled with curl | dockerfile | [RunUnsafeCurl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeCurl.yaml) | +| 2099 | CKV2_DOCKER_3 | resource | RUN | Ensure that certificate validation isn't disabled with wget | dockerfile | [RunUnsafeWget.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeWget.yaml) | +| 2100 | CKV2_DOCKER_4 | resource | RUN | Ensure that certificate validation isn't disabled with the pip '--trusted-host' option | dockerfile | [RunPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunPipTrustedHost.yaml) | +| 2101 | CKV2_DOCKER_5 | resource | ARG | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2102 | CKV2_DOCKER_5 | resource | ENV | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2103 | CKV2_DOCKER_5 | resource | RUN | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2104 | CKV2_DOCKER_6 | resource | ARG | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2105 | CKV2_DOCKER_6 | resource | ENV | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2106 | CKV2_DOCKER_6 | resource | RUN | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2107 | CKV2_DOCKER_7 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option | dockerfile | [RunApkAllowUntrusted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunApkAllowUntrusted.yaml) | +| 2108 | CKV2_DOCKER_8 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option | dockerfile | [RunAptGetAllowUnauthenticated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetAllowUnauthenticated.yaml) | +| 2109 | CKV2_DOCKER_9 | resource | RUN | Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option | dockerfile | [RunYumNoGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumNoGpgCheck.yaml) | +| 2110 | CKV2_DOCKER_10 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options | dockerfile | [RunRpmNoSignature.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunRpmNoSignature.yaml) | +| 2111 | CKV2_DOCKER_11 | resource | RUN | Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | dockerfile | [RunAptGetForceYes.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetForceYes.yaml) | +| 2112 | CKV2_DOCKER_12 | resource | ARG | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2113 | CKV2_DOCKER_12 | resource | ENV | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2114 | CKV2_DOCKER_12 | resource | RUN | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2115 | CKV2_DOCKER_13 | resource | RUN | Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false | dockerfile | [RunNpmConfigSetStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunNpmConfigSetStrictSsl.yaml) | +| 2116 | CKV2_DOCKER_14 | resource | ARG | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2117 | CKV2_DOCKER_14 | resource | ENV | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2118 | CKV2_DOCKER_14 | resource | RUN | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2119 | CKV2_DOCKER_15 | resource | RUN | Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option | dockerfile | [RunYumConfigManagerSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumConfigManagerSslVerify.yaml) | +| 2120 | CKV2_DOCKER_16 | resource | ARG | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2121 | CKV2_DOCKER_16 | resource | ENV | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2122 | CKV2_DOCKER_16 | resource | RUN | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2123 | CKV2_DOCKER_17 | resource | RUN | Ensure that 'chpasswd' is not used to set or remove passwords | dockerfile | [RunChpasswd.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml) | +| 2124 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | +| 2125 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | +| 2126 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | +| 2127 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | +| 2128 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | +| 2129 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | +| 2130 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | +| 2131 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | +| 2132 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | +| 2133 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | +| 2134 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | +| 2135 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | +| 2136 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | +| 2137 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | +| 2138 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | +| 2139 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | +| 2140 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | +| 2141 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py) | +| 2142 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | +| 2143 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | +| 2144 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | +| 2145 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | +| 2146 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | +| 2147 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | +| 2148 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | +| 2149 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | +| 2150 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 2151 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 2152 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | +| 2153 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2154 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2155 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2156 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2157 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2158 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2159 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2160 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2161 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2162 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | +| 2163 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2164 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2165 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2166 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2167 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2168 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2169 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2170 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2171 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2172 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | +| 2173 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | +| 2174 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2175 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2176 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2177 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2178 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2179 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2180 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 2181 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 2182 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | +| 2183 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | +| 2184 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 2185 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 2186 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 2187 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 2188 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 2189 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 2190 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 2191 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 2192 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 2193 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 2194 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 2195 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 2196 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | +| 2197 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | +| 2198 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | +| 2199 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | +| 2200 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | +| 2201 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | +| 2202 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | +| 2203 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | +| 2204 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | +| 2205 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | +| 2206 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | +| 2207 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | +| 2208 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | +| 2209 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | +| 2210 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | +| 2211 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | +| 2212 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | +| 2213 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 2214 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 2215 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 2216 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 2217 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | +| 2218 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | +| 2219 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 2220 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 2221 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | +| 2222 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | +| 2223 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | +| 2224 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | +| 2225 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | +| 2226 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | +| 2227 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | +| 2228 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | +| 2229 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | +| 2230 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | +| 2231 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | +| 2232 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | +| 2233 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | +| 2234 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | +| 2235 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | +| 2236 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | +| 2237 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | +| 2238 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | +| 2239 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | +| 2240 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | +| 2241 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | +| 2242 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | +| 2243 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | +| 2244 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | +| 2245 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | +| 2246 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 2247 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 2248 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 2249 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 2250 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 2251 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 2252 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 2253 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 2254 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 2255 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 2256 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | +| 2257 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | +| 2258 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | +| 2259 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | +| 2260 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2261 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2262 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2263 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2264 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | +| 2265 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | +| 2266 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | +| 2267 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | +| 2268 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2269 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2270 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2271 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | +| 2272 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | +| 2273 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 2274 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 2275 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 2276 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 2277 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 2278 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 2279 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | +| 2280 | CKV_GCP_119 | resource | google_spanner_database | Ensure Spanner Database has deletion protection enabled | Terraform | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py) | +| 2281 | CKV_GCP_120 | resource | google_spanner_database | Ensure Spanner Database has drop protection enabled | Terraform | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py) | +| 2282 | CKV_GCP_121 | resource | google_bigquery_table | Ensure BigQuery tables have deletion protection enabled | Terraform | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py) | +| 2283 | CKV_GCP_122 | resource | google_bigtable_instance | Ensure Big Table Instances have deletion protection enabled | Terraform | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py) | +| 2284 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | +| 2285 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | +| 2286 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | +| 2287 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2288 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2289 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2290 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2291 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 2292 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 2293 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2294 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2295 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2296 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 2297 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 2298 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2299 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2300 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2301 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2302 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2303 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2304 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | +| 2305 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | +| 2306 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | +| 2307 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | +| 2308 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | +| 2309 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | +| 2310 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | +| 2311 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | +| 2312 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | +| 2313 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | +| 2314 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | +| 2315 | CKV_GHA_1 | jobs | jobs | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | +| 2316 | CKV_GHA_1 | jobs | jobs.*.steps[] | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | +| 2317 | CKV_GHA_2 | jobs | jobs | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | +| 2318 | CKV_GHA_2 | jobs | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | +| 2319 | CKV_GHA_3 | jobs | jobs | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | +| 2320 | CKV_GHA_3 | jobs | jobs.*.steps[] | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | +| 2321 | CKV_GHA_4 | jobs | jobs | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | +| 2322 | CKV_GHA_4 | jobs | jobs.*.steps[] | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | +| 2323 | CKV_GHA_5 | jobs | jobs | Found artifact build without evidence of cosign sign execution in pipeline | github_actions | [CosignArtifacts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignArtifacts.py) | +| 2324 | CKV_GHA_6 | jobs | jobs | Found artifact build without evidence of cosign sbom attestation in pipeline | github_actions | [CosignSBOM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignSBOM.py) | +| 2325 | CKV_GHA_7 | jobs | on | The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. | github_actions | [EmptyWorkflowDispatch.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/EmptyWorkflowDispatch.py) | +| 2326 | CKV2_GHA_1 | resource | permissions | Ensure top-level permissions are not set to write-all | github_actions | [ReadOnlyTopLevelPermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/graph_checks/ReadOnlyTopLevelPermissions.yaml) | +| 2327 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | +| 2328 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | +| 2329 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | +| 2330 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2331 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2332 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2333 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 2334 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 2335 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 2336 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 2337 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | +| 2338 | CKV_GITHUB_1 | github_configuration | * | Ensure GitHub organization security settings require 2FA | github_configuration | [2fa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/2fa.py) | +| 2339 | CKV_GITHUB_2 | github_configuration | * | Ensure GitHub organization security settings require SSO | github_configuration | [sso.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/sso.py) | +| 2340 | CKV_GITHUB_3 | github_configuration | * | Ensure GitHub organization security settings has IP allow list enabled | github_configuration | [ipallowlist.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/ipallowlist.py) | +| 2341 | CKV_GITHUB_4 | github_configuration | * | Ensure GitHub branch protection rules requires signed commits | github_configuration | [require_signatures.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_signatures.py) | +| 2342 | CKV_GITHUB_5 | github_configuration | * | Ensure GitHub branch protection rules does not allow force pushes | github_configuration | [disallow_force_pushes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_force_pushes.py) | +| 2343 | CKV_GITHUB_6 | github_configuration | * | Ensure GitHub organization webhooks are using HTTPS | github_configuration | [webhooks_https_orgs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_orgs.py) | +| 2344 | CKV_GITHUB_7 | github_configuration | * | Ensure GitHub repository webhooks are using HTTPS | github_configuration | [webhooks_https_repos.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_repos.py) | +| 2345 | CKV_GITHUB_8 | github_configuration | * | Ensure GitHub branch protection rules requires linear history | github_configuration | [require_linear_history.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_linear_history.py) | +| 2346 | CKV_GITHUB_9 | github_configuration | * | Ensure 2 admins are set for each repository | github_configuration | [repository_collaborators.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/repository_collaborators.py) | +| 2347 | CKV_GITHUB_10 | github_configuration | * | Ensure branch protection rules are enforced on administrators | github_configuration | [enforce_branch_protection_admins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/enforce_branch_protection_admins.py) | +| 2348 | CKV_GITHUB_11 | github_configuration | * | Ensure GitHub branch protection dismisses stale review on new commit | github_configuration | [dismiss_stale_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/dismiss_stale_reviews.py) | +| 2349 | CKV_GITHUB_12 | github_configuration | * | Ensure GitHub branch protection restricts who can dismiss PR reviews | github_configuration | [restrict_pr_review_dismissal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/restrict_pr_review_dismissal.py) | +| 2350 | CKV_GITHUB_13 | github_configuration | * | Ensure GitHub branch protection requires CODEOWNER reviews | github_configuration | [require_code_owner_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_code_owner_reviews.py) | +| 2351 | CKV_GITHUB_14 | github_configuration | * | Ensure all checks have passed before the merge of new code | github_configuration | [require_status_checks_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_status_checks_pr.py) | +| 2352 | CKV_GITHUB_15 | github_configuration | * | Ensure inactive branches are reviewed and removed periodically | github_configuration | [disallow_inactive_branch_60days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_inactive_branch_60days.py) | +| 2353 | CKV_GITHUB_16 | github_configuration | * | Ensure GitHub branch protection requires conversation resolution | github_configuration | [require_conversation_resolution.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_conversation_resolution.py) | +| 2354 | CKV_GITHUB_17 | github_configuration | * | Ensure GitHub branch protection requires push restrictions | github_configuration | [require_push_restrictions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_push_restrictions.py) | +| 2355 | CKV_GITHUB_18 | github_configuration | * | Ensure GitHub branch protection rules does not allow deletions | github_configuration | [disallow_branch_deletions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_branch_deletions.py) | +| 2356 | CKV_GITHUB_19 | github_configuration | * | Ensure any change to code receives approval of two strongly authenticated users | github_configuration | [require_2approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_2approvals.py) | +| 2357 | CKV_GITHUB_20 | github_configuration | * | Ensure open git branches are up to date before they can be merged into codebase | github_configuration | [require_updated_branch_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_updated_branch_pr.py) | +| 2358 | CKV_GITHUB_21 | github_configuration | * | Ensure public repository creation is limited to specific members | github_configuration | [public_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/public_repository_creation_is_limited.py) | +| 2359 | CKV_GITHUB_22 | github_configuration | * | Ensure private repository creation is limited to specific members | github_configuration | [private_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/private_repository_creation_is_limited.py) | +| 2360 | CKV_GITHUB_23 | github_configuration | * | Ensure internal repository creation is limited to specific members | github_configuration | [internal_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/internal_repository_creation_is_limited.py) | +| 2361 | CKV_GITHUB_26 | github_configuration | * | Ensure minimum admins are set for the organization | github_configuration | [minimum_admins_in_org.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/minimum_admins_in_org.py) | +| 2362 | CKV_GITHUB_27 | github_configuration | * | Ensure strict base permissions are set for repositories | github_configuration | [require_strict_base_permissions_repository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_strict_base_permissions_repository.py) | +| 2363 | CKV_GITHUB_28 | github_configuration | * | Ensure an organization's identity is confirmed with a Verified badge Passed | github_configuration | [require_verified_organization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_verified_organization.py) | +| 2364 | CKV_GITLAB_1 | gitlab_configuration | * | Merge requests should require at least 2 approvals | gitlab_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/merge_requests_approvals.py) | +| 2365 | CKV_GITLAB_2 | gitlab_configuration | * | Ensure all Gitlab groups require two factor authentication | gitlab_configuration | [two_factor_authentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/two_factor_authentication.py) | +| 2366 | CKV_GITLABCI_1 | jobs | *.script[] | Suspicious use of curl with CI environment variables in script | gitlab_ci | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/SuspectCurlInScript.py) | +| 2367 | CKV_GITLABCI_2 | jobs | *.rules | Avoid creating rules that generate double pipelines | gitlab_ci | [AvoidDoublePipelines.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/AvoidDoublePipelines.py) | +| 2368 | CKV_GITLABCI_3 | jobs | *.image[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | +| 2369 | CKV_GITLABCI_3 | jobs | *.services[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | +| 2370 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | +| 2371 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | +| 2372 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | +| 2373 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | +| 2374 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py) | +| 2375 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | +| 2376 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | [PrivilegedContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py) | +| 2377 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | +| 2378 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py) | +| 2379 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | +| 2380 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py) | +| 2381 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | +| 2382 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py) | +| 2383 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | +| 2384 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | [RootContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py) | +| 2385 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | +| 2386 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilitiesPSP.py) | +| 2387 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | +| 2388 | CKV_K8S_8 | resource | DaemonSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2389 | CKV_K8S_8 | resource | Deployment | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2390 | CKV_K8S_8 | resource | DeploymentConfig | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2391 | CKV_K8S_8 | resource | Pod | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2392 | CKV_K8S_8 | resource | PodTemplate | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2393 | CKV_K8S_8 | resource | ReplicaSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2394 | CKV_K8S_8 | resource | ReplicationController | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2395 | CKV_K8S_8 | resource | StatefulSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2396 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2397 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2398 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2399 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2400 | CKV_K8S_9 | resource | DaemonSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2401 | CKV_K8S_9 | resource | Deployment | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2402 | CKV_K8S_9 | resource | DeploymentConfig | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2403 | CKV_K8S_9 | resource | Pod | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2404 | CKV_K8S_9 | resource | PodTemplate | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2405 | CKV_K8S_9 | resource | ReplicaSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2406 | CKV_K8S_9 | resource | ReplicationController | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2407 | CKV_K8S_9 | resource | StatefulSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2408 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2409 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2410 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2411 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2412 | CKV_K8S_10 | resource | CronJob | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2413 | CKV_K8S_10 | resource | DaemonSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2414 | CKV_K8S_10 | resource | Deployment | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2415 | CKV_K8S_10 | resource | DeploymentConfig | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2416 | CKV_K8S_10 | resource | Job | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2417 | CKV_K8S_10 | resource | Pod | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2418 | CKV_K8S_10 | resource | PodTemplate | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2419 | CKV_K8S_10 | resource | ReplicaSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2420 | CKV_K8S_10 | resource | ReplicationController | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2421 | CKV_K8S_10 | resource | StatefulSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2422 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2423 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2424 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2425 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2426 | CKV_K8S_11 | resource | CronJob | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2427 | CKV_K8S_11 | resource | DaemonSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2428 | CKV_K8S_11 | resource | Deployment | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2429 | CKV_K8S_11 | resource | DeploymentConfig | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2430 | CKV_K8S_11 | resource | Job | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2431 | CKV_K8S_11 | resource | Pod | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2432 | CKV_K8S_11 | resource | PodTemplate | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2433 | CKV_K8S_11 | resource | ReplicaSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2434 | CKV_K8S_11 | resource | ReplicationController | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2435 | CKV_K8S_11 | resource | StatefulSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2436 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2437 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2438 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2439 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2440 | CKV_K8S_12 | resource | CronJob | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2441 | CKV_K8S_12 | resource | DaemonSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2442 | CKV_K8S_12 | resource | Deployment | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2443 | CKV_K8S_12 | resource | DeploymentConfig | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2444 | CKV_K8S_12 | resource | Job | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2445 | CKV_K8S_12 | resource | Pod | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2446 | CKV_K8S_12 | resource | PodTemplate | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2447 | CKV_K8S_12 | resource | ReplicaSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2448 | CKV_K8S_12 | resource | ReplicationController | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2449 | CKV_K8S_12 | resource | StatefulSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2450 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2451 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2452 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2453 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2454 | CKV_K8S_13 | resource | CronJob | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2455 | CKV_K8S_13 | resource | DaemonSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2456 | CKV_K8S_13 | resource | Deployment | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2457 | CKV_K8S_13 | resource | DeploymentConfig | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2458 | CKV_K8S_13 | resource | Job | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2459 | CKV_K8S_13 | resource | Pod | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2460 | CKV_K8S_13 | resource | PodTemplate | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2461 | CKV_K8S_13 | resource | ReplicaSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2462 | CKV_K8S_13 | resource | ReplicationController | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2463 | CKV_K8S_13 | resource | StatefulSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2464 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2465 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2466 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2467 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2468 | CKV_K8S_14 | resource | CronJob | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2469 | CKV_K8S_14 | resource | DaemonSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2470 | CKV_K8S_14 | resource | Deployment | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2471 | CKV_K8S_14 | resource | DeploymentConfig | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2472 | CKV_K8S_14 | resource | Job | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2473 | CKV_K8S_14 | resource | Pod | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2474 | CKV_K8S_14 | resource | PodTemplate | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2475 | CKV_K8S_14 | resource | ReplicaSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2476 | CKV_K8S_14 | resource | ReplicationController | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2477 | CKV_K8S_14 | resource | StatefulSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2478 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2479 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2480 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2481 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2482 | CKV_K8S_15 | resource | CronJob | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2483 | CKV_K8S_15 | resource | DaemonSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2484 | CKV_K8S_15 | resource | Deployment | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2485 | CKV_K8S_15 | resource | DeploymentConfig | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2486 | CKV_K8S_15 | resource | Job | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2487 | CKV_K8S_15 | resource | Pod | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2488 | CKV_K8S_15 | resource | PodTemplate | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2489 | CKV_K8S_15 | resource | ReplicaSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2490 | CKV_K8S_15 | resource | ReplicationController | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2491 | CKV_K8S_15 | resource | StatefulSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2492 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2493 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2494 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2495 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2496 | CKV_K8S_16 | resource | CronJob | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2497 | CKV_K8S_16 | resource | DaemonSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2498 | CKV_K8S_16 | resource | Deployment | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2499 | CKV_K8S_16 | resource | DeploymentConfig | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2500 | CKV_K8S_16 | resource | Job | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2501 | CKV_K8S_16 | resource | Pod | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2502 | CKV_K8S_16 | resource | PodTemplate | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2503 | CKV_K8S_16 | resource | ReplicaSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2504 | CKV_K8S_16 | resource | ReplicationController | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2505 | CKV_K8S_16 | resource | StatefulSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2506 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2507 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2508 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2509 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2510 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2511 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2512 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2513 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2514 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2515 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2516 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2517 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2518 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2519 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2520 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2521 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2522 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2523 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2524 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2525 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2526 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2527 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2528 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2529 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2530 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2531 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2532 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2533 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2534 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2535 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2536 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2537 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2538 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2539 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2540 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2541 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2542 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2543 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2544 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2545 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2546 | CKV_K8S_20 | resource | CronJob | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2547 | CKV_K8S_20 | resource | DaemonSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2548 | CKV_K8S_20 | resource | Deployment | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2549 | CKV_K8S_20 | resource | DeploymentConfig | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2550 | CKV_K8S_20 | resource | Job | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2551 | CKV_K8S_20 | resource | Pod | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2552 | CKV_K8S_20 | resource | PodTemplate | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2553 | CKV_K8S_20 | resource | ReplicaSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2554 | CKV_K8S_20 | resource | ReplicationController | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2555 | CKV_K8S_20 | resource | StatefulSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2556 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2557 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2558 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2559 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2560 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2561 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2562 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2563 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2564 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2565 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2566 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2567 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2568 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2569 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2570 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2571 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2572 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2573 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2574 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2575 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2576 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2577 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2578 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2579 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2580 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2581 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2582 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2583 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2584 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2585 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2586 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2587 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2588 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2589 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2590 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2591 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2592 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2593 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2594 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2595 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2596 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2597 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2598 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2599 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2600 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2601 | CKV_K8S_22 | resource | CronJob | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2602 | CKV_K8S_22 | resource | DaemonSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2603 | CKV_K8S_22 | resource | Deployment | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2604 | CKV_K8S_22 | resource | DeploymentConfig | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2605 | CKV_K8S_22 | resource | Job | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2606 | CKV_K8S_22 | resource | Pod | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2607 | CKV_K8S_22 | resource | PodTemplate | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2608 | CKV_K8S_22 | resource | ReplicaSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2609 | CKV_K8S_22 | resource | ReplicationController | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2610 | CKV_K8S_22 | resource | StatefulSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2611 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2612 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2613 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2614 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2615 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2616 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2617 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2618 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2619 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2620 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2621 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2622 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2623 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesPSP.py) | +| 2624 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | +| 2625 | CKV_K8S_25 | resource | CronJob | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2626 | CKV_K8S_25 | resource | DaemonSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2627 | CKV_K8S_25 | resource | Deployment | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2628 | CKV_K8S_25 | resource | DeploymentConfig | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2629 | CKV_K8S_25 | resource | Job | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2630 | CKV_K8S_25 | resource | Pod | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2631 | CKV_K8S_25 | resource | PodTemplate | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2632 | CKV_K8S_25 | resource | ReplicaSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2633 | CKV_K8S_25 | resource | ReplicationController | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2634 | CKV_K8S_25 | resource | StatefulSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2635 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2636 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2637 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2638 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2639 | CKV_K8S_26 | resource | CronJob | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2640 | CKV_K8S_26 | resource | DaemonSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2641 | CKV_K8S_26 | resource | Deployment | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2642 | CKV_K8S_26 | resource | DeploymentConfig | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2643 | CKV_K8S_26 | resource | Job | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2644 | CKV_K8S_26 | resource | Pod | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2645 | CKV_K8S_26 | resource | PodTemplate | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2646 | CKV_K8S_26 | resource | ReplicaSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2647 | CKV_K8S_26 | resource | ReplicationController | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2648 | CKV_K8S_26 | resource | StatefulSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2649 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2650 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2651 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2652 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2653 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2654 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2655 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2656 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2657 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2658 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2659 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2660 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2661 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2662 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2663 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2664 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2665 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2666 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2667 | CKV_K8S_28 | resource | CronJob | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2668 | CKV_K8S_28 | resource | DaemonSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2669 | CKV_K8S_28 | resource | Deployment | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2670 | CKV_K8S_28 | resource | DeploymentConfig | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2671 | CKV_K8S_28 | resource | Job | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2672 | CKV_K8S_28 | resource | Pod | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2673 | CKV_K8S_28 | resource | PodTemplate | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2674 | CKV_K8S_28 | resource | ReplicaSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2675 | CKV_K8S_28 | resource | ReplicationController | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2676 | CKV_K8S_28 | resource | StatefulSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2677 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2678 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2679 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2680 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2681 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2682 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2683 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2684 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2685 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2686 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2687 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2688 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2689 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2690 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2691 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2692 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2693 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2694 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2695 | CKV_K8S_30 | resource | CronJob | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2696 | CKV_K8S_30 | resource | DaemonSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2697 | CKV_K8S_30 | resource | Deployment | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2698 | CKV_K8S_30 | resource | DeploymentConfig | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2699 | CKV_K8S_30 | resource | Job | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2700 | CKV_K8S_30 | resource | Pod | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2701 | CKV_K8S_30 | resource | PodTemplate | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2702 | CKV_K8S_30 | resource | ReplicaSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2703 | CKV_K8S_30 | resource | ReplicationController | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2704 | CKV_K8S_30 | resource | StatefulSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2705 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2706 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2707 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2708 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2709 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2710 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2711 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2712 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2713 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2714 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2715 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2716 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2717 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py) | +| 2718 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | +| 2719 | CKV_K8S_33 | resource | CronJob | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2720 | CKV_K8S_33 | resource | DaemonSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2721 | CKV_K8S_33 | resource | Deployment | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2722 | CKV_K8S_33 | resource | DeploymentConfig | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2723 | CKV_K8S_33 | resource | Job | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2724 | CKV_K8S_33 | resource | Pod | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2725 | CKV_K8S_33 | resource | PodTemplate | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2726 | CKV_K8S_33 | resource | ReplicaSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2727 | CKV_K8S_33 | resource | ReplicationController | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2728 | CKV_K8S_33 | resource | StatefulSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2729 | CKV_K8S_34 | resource | CronJob | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2730 | CKV_K8S_34 | resource | DaemonSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2731 | CKV_K8S_34 | resource | Deployment | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2732 | CKV_K8S_34 | resource | DeploymentConfig | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2733 | CKV_K8S_34 | resource | Job | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2734 | CKV_K8S_34 | resource | Pod | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2735 | CKV_K8S_34 | resource | PodTemplate | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2736 | CKV_K8S_34 | resource | ReplicaSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2737 | CKV_K8S_34 | resource | ReplicationController | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2738 | CKV_K8S_34 | resource | StatefulSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2739 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2740 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2741 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2742 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2743 | CKV_K8S_35 | resource | CronJob | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2744 | CKV_K8S_35 | resource | DaemonSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2745 | CKV_K8S_35 | resource | Deployment | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2746 | CKV_K8S_35 | resource | DeploymentConfig | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2747 | CKV_K8S_35 | resource | Job | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2748 | CKV_K8S_35 | resource | Pod | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2749 | CKV_K8S_35 | resource | PodTemplate | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2750 | CKV_K8S_35 | resource | ReplicaSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2751 | CKV_K8S_35 | resource | ReplicationController | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2752 | CKV_K8S_35 | resource | StatefulSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2753 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2754 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2755 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2756 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2757 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py) | +| 2758 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | +| 2759 | CKV_K8S_37 | resource | CronJob | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2760 | CKV_K8S_37 | resource | DaemonSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2761 | CKV_K8S_37 | resource | Deployment | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2762 | CKV_K8S_37 | resource | DeploymentConfig | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2763 | CKV_K8S_37 | resource | Job | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2764 | CKV_K8S_37 | resource | Pod | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2765 | CKV_K8S_37 | resource | PodTemplate | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2766 | CKV_K8S_37 | resource | ReplicaSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2767 | CKV_K8S_37 | resource | ReplicationController | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2768 | CKV_K8S_37 | resource | StatefulSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2769 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2770 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2771 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2772 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2773 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2774 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2775 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2776 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2777 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2778 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2779 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2780 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2781 | CKV_K8S_39 | resource | CronJob | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2782 | CKV_K8S_39 | resource | DaemonSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2783 | CKV_K8S_39 | resource | Deployment | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2784 | CKV_K8S_39 | resource | DeploymentConfig | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2785 | CKV_K8S_39 | resource | Job | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2786 | CKV_K8S_39 | resource | Pod | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2787 | CKV_K8S_39 | resource | PodTemplate | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2788 | CKV_K8S_39 | resource | ReplicaSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2789 | CKV_K8S_39 | resource | ReplicationController | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2790 | CKV_K8S_39 | resource | StatefulSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2791 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2792 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2793 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2794 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2795 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2796 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2797 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2798 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2799 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2800 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2801 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2802 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2803 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccount.py) | +| 2804 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 2805 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 2806 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | +| 2807 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | +| 2808 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2809 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2810 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2811 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2812 | CKV_K8S_43 | resource | CronJob | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2813 | CKV_K8S_43 | resource | DaemonSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2814 | CKV_K8S_43 | resource | Deployment | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2815 | CKV_K8S_43 | resource | DeploymentConfig | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2816 | CKV_K8S_43 | resource | Job | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2817 | CKV_K8S_43 | resource | Pod | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2818 | CKV_K8S_43 | resource | PodTemplate | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2819 | CKV_K8S_43 | resource | ReplicaSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2820 | CKV_K8S_43 | resource | ReplicationController | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2821 | CKV_K8S_43 | resource | StatefulSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2822 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2823 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2824 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2825 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2826 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerService.py) | +| 2827 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 2828 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 2829 | CKV_K8S_45 | resource | CronJob | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2830 | CKV_K8S_45 | resource | DaemonSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2831 | CKV_K8S_45 | resource | Deployment | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2832 | CKV_K8S_45 | resource | DeploymentConfig | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2833 | CKV_K8S_45 | resource | Job | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2834 | CKV_K8S_45 | resource | Pod | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2835 | CKV_K8S_45 | resource | PodTemplate | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2836 | CKV_K8S_45 | resource | ReplicaSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2837 | CKV_K8S_45 | resource | ReplicationController | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2838 | CKV_K8S_45 | resource | StatefulSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2839 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | +| 2840 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | +| 2841 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2842 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2843 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2844 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2845 | CKV_K8S_68 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2846 | CKV_K8S_68 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2847 | CKV_K8S_68 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2848 | CKV_K8S_68 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2849 | CKV_K8S_68 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2850 | CKV_K8S_68 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2851 | CKV_K8S_68 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2852 | CKV_K8S_68 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2853 | CKV_K8S_68 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2854 | CKV_K8S_68 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2855 | CKV_K8S_69 | resource | CronJob | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2856 | CKV_K8S_69 | resource | DaemonSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2857 | CKV_K8S_69 | resource | Deployment | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2858 | CKV_K8S_69 | resource | DeploymentConfig | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2859 | CKV_K8S_69 | resource | Job | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2860 | CKV_K8S_69 | resource | Pod | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2861 | CKV_K8S_69 | resource | PodTemplate | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2862 | CKV_K8S_69 | resource | ReplicaSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2863 | CKV_K8S_69 | resource | ReplicationController | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2864 | CKV_K8S_69 | resource | StatefulSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2865 | CKV_K8S_70 | resource | CronJob | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2866 | CKV_K8S_70 | resource | DaemonSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2867 | CKV_K8S_70 | resource | Deployment | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2868 | CKV_K8S_70 | resource | DeploymentConfig | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2869 | CKV_K8S_70 | resource | Job | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2870 | CKV_K8S_70 | resource | Pod | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2871 | CKV_K8S_70 | resource | PodTemplate | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2872 | CKV_K8S_70 | resource | ReplicaSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2873 | CKV_K8S_70 | resource | ReplicationController | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2874 | CKV_K8S_70 | resource | StatefulSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2875 | CKV_K8S_71 | resource | CronJob | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2876 | CKV_K8S_71 | resource | DaemonSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2877 | CKV_K8S_71 | resource | Deployment | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2878 | CKV_K8S_71 | resource | DeploymentConfig | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2879 | CKV_K8S_71 | resource | Job | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2880 | CKV_K8S_71 | resource | Pod | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2881 | CKV_K8S_71 | resource | PodTemplate | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2882 | CKV_K8S_71 | resource | ReplicaSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2883 | CKV_K8S_71 | resource | ReplicationController | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2884 | CKV_K8S_71 | resource | StatefulSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2885 | CKV_K8S_72 | resource | CronJob | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2886 | CKV_K8S_72 | resource | DaemonSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2887 | CKV_K8S_72 | resource | Deployment | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2888 | CKV_K8S_72 | resource | DeploymentConfig | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2889 | CKV_K8S_72 | resource | Job | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2890 | CKV_K8S_72 | resource | Pod | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2891 | CKV_K8S_72 | resource | PodTemplate | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2892 | CKV_K8S_72 | resource | ReplicaSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2893 | CKV_K8S_72 | resource | ReplicationController | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2894 | CKV_K8S_72 | resource | StatefulSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 2895 | CKV_K8S_73 | resource | CronJob | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2896 | CKV_K8S_73 | resource | DaemonSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2897 | CKV_K8S_73 | resource | Deployment | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2898 | CKV_K8S_73 | resource | DeploymentConfig | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2899 | CKV_K8S_73 | resource | Job | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2900 | CKV_K8S_73 | resource | Pod | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2901 | CKV_K8S_73 | resource | PodTemplate | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2902 | CKV_K8S_73 | resource | ReplicaSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2903 | CKV_K8S_73 | resource | ReplicationController | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2904 | CKV_K8S_73 | resource | StatefulSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 2905 | CKV_K8S_74 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2906 | CKV_K8S_74 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2907 | CKV_K8S_74 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2908 | CKV_K8S_74 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2909 | CKV_K8S_74 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2910 | CKV_K8S_74 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2911 | CKV_K8S_74 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2912 | CKV_K8S_74 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2913 | CKV_K8S_74 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2914 | CKV_K8S_74 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 2915 | CKV_K8S_75 | resource | CronJob | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2916 | CKV_K8S_75 | resource | DaemonSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2917 | CKV_K8S_75 | resource | Deployment | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2918 | CKV_K8S_75 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2919 | CKV_K8S_75 | resource | Job | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2920 | CKV_K8S_75 | resource | Pod | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2921 | CKV_K8S_75 | resource | PodTemplate | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2922 | CKV_K8S_75 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2923 | CKV_K8S_75 | resource | ReplicationController | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2924 | CKV_K8S_75 | resource | StatefulSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 2925 | CKV_K8S_77 | resource | CronJob | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2926 | CKV_K8S_77 | resource | DaemonSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2927 | CKV_K8S_77 | resource | Deployment | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2928 | CKV_K8S_77 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2929 | CKV_K8S_77 | resource | Job | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2930 | CKV_K8S_77 | resource | Pod | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2931 | CKV_K8S_77 | resource | PodTemplate | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2932 | CKV_K8S_77 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2933 | CKV_K8S_77 | resource | ReplicationController | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2934 | CKV_K8S_77 | resource | StatefulSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 2935 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | [ApiServerAdmissionControlEventRateLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlEventRateLimit.py) | +| 2936 | CKV_K8S_79 | resource | CronJob | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2937 | CKV_K8S_79 | resource | DaemonSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2938 | CKV_K8S_79 | resource | Deployment | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2939 | CKV_K8S_79 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2940 | CKV_K8S_79 | resource | Job | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2941 | CKV_K8S_79 | resource | Pod | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2942 | CKV_K8S_79 | resource | PodTemplate | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2943 | CKV_K8S_79 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2944 | CKV_K8S_79 | resource | ReplicationController | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2945 | CKV_K8S_79 | resource | StatefulSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 2946 | CKV_K8S_80 | resource | CronJob | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2947 | CKV_K8S_80 | resource | DaemonSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2948 | CKV_K8S_80 | resource | Deployment | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2949 | CKV_K8S_80 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2950 | CKV_K8S_80 | resource | Job | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2951 | CKV_K8S_80 | resource | Pod | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2952 | CKV_K8S_80 | resource | PodTemplate | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2953 | CKV_K8S_80 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2954 | CKV_K8S_80 | resource | ReplicationController | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2955 | CKV_K8S_80 | resource | StatefulSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 2956 | CKV_K8S_81 | resource | CronJob | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2957 | CKV_K8S_81 | resource | DaemonSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2958 | CKV_K8S_81 | resource | Deployment | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2959 | CKV_K8S_81 | resource | DeploymentConfig | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2960 | CKV_K8S_81 | resource | Job | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2961 | CKV_K8S_81 | resource | Pod | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2962 | CKV_K8S_81 | resource | PodTemplate | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2963 | CKV_K8S_81 | resource | ReplicaSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2964 | CKV_K8S_81 | resource | ReplicationController | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2965 | CKV_K8S_81 | resource | StatefulSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 2966 | CKV_K8S_82 | resource | CronJob | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2967 | CKV_K8S_82 | resource | DaemonSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2968 | CKV_K8S_82 | resource | Deployment | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2969 | CKV_K8S_82 | resource | DeploymentConfig | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2970 | CKV_K8S_82 | resource | Job | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2971 | CKV_K8S_82 | resource | Pod | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2972 | CKV_K8S_82 | resource | PodTemplate | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2973 | CKV_K8S_82 | resource | ReplicaSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2974 | CKV_K8S_82 | resource | ReplicationController | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2975 | CKV_K8S_82 | resource | StatefulSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 2976 | CKV_K8S_83 | resource | CronJob | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2977 | CKV_K8S_83 | resource | DaemonSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2978 | CKV_K8S_83 | resource | Deployment | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2979 | CKV_K8S_83 | resource | DeploymentConfig | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2980 | CKV_K8S_83 | resource | Job | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2981 | CKV_K8S_83 | resource | Pod | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2982 | CKV_K8S_83 | resource | PodTemplate | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2983 | CKV_K8S_83 | resource | ReplicaSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2984 | CKV_K8S_83 | resource | ReplicationController | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2985 | CKV_K8S_83 | resource | StatefulSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 2986 | CKV_K8S_84 | resource | CronJob | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2987 | CKV_K8S_84 | resource | DaemonSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2988 | CKV_K8S_84 | resource | Deployment | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2989 | CKV_K8S_84 | resource | DeploymentConfig | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2990 | CKV_K8S_84 | resource | Job | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2991 | CKV_K8S_84 | resource | Pod | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2992 | CKV_K8S_84 | resource | PodTemplate | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2993 | CKV_K8S_84 | resource | ReplicaSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2994 | CKV_K8S_84 | resource | ReplicationController | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2995 | CKV_K8S_84 | resource | StatefulSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 2996 | CKV_K8S_85 | resource | CronJob | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2997 | CKV_K8S_85 | resource | DaemonSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2998 | CKV_K8S_85 | resource | Deployment | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 2999 | CKV_K8S_85 | resource | DeploymentConfig | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3000 | CKV_K8S_85 | resource | Job | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3001 | CKV_K8S_85 | resource | Pod | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3002 | CKV_K8S_85 | resource | PodTemplate | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3003 | CKV_K8S_85 | resource | ReplicaSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3004 | CKV_K8S_85 | resource | ReplicationController | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3005 | CKV_K8S_85 | resource | StatefulSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3006 | CKV_K8S_86 | resource | CronJob | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3007 | CKV_K8S_86 | resource | DaemonSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3008 | CKV_K8S_86 | resource | Deployment | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3009 | CKV_K8S_86 | resource | DeploymentConfig | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3010 | CKV_K8S_86 | resource | Job | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3011 | CKV_K8S_86 | resource | Pod | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3012 | CKV_K8S_86 | resource | PodTemplate | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3013 | CKV_K8S_86 | resource | ReplicaSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3014 | CKV_K8S_86 | resource | ReplicationController | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3015 | CKV_K8S_86 | resource | StatefulSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3016 | CKV_K8S_88 | resource | CronJob | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3017 | CKV_K8S_88 | resource | DaemonSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3018 | CKV_K8S_88 | resource | Deployment | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3019 | CKV_K8S_88 | resource | DeploymentConfig | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3020 | CKV_K8S_88 | resource | Job | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3021 | CKV_K8S_88 | resource | Pod | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3022 | CKV_K8S_88 | resource | PodTemplate | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3023 | CKV_K8S_88 | resource | ReplicaSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3024 | CKV_K8S_88 | resource | ReplicationController | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3025 | CKV_K8S_88 | resource | StatefulSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3026 | CKV_K8S_89 | resource | CronJob | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3027 | CKV_K8S_89 | resource | DaemonSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3028 | CKV_K8S_89 | resource | Deployment | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3029 | CKV_K8S_89 | resource | DeploymentConfig | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3030 | CKV_K8S_89 | resource | Job | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3031 | CKV_K8S_89 | resource | Pod | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3032 | CKV_K8S_89 | resource | PodTemplate | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3033 | CKV_K8S_89 | resource | ReplicaSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3034 | CKV_K8S_89 | resource | ReplicationController | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3035 | CKV_K8S_89 | resource | StatefulSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3036 | CKV_K8S_90 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3037 | CKV_K8S_90 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3038 | CKV_K8S_90 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3039 | CKV_K8S_90 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3040 | CKV_K8S_90 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3041 | CKV_K8S_90 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3042 | CKV_K8S_90 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3043 | CKV_K8S_90 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3044 | CKV_K8S_90 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3045 | CKV_K8S_90 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3046 | CKV_K8S_91 | resource | CronJob | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3047 | CKV_K8S_91 | resource | DaemonSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3048 | CKV_K8S_91 | resource | Deployment | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3049 | CKV_K8S_91 | resource | DeploymentConfig | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3050 | CKV_K8S_91 | resource | Job | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3051 | CKV_K8S_91 | resource | Pod | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3052 | CKV_K8S_91 | resource | PodTemplate | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3053 | CKV_K8S_91 | resource | ReplicaSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3054 | CKV_K8S_91 | resource | ReplicationController | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3055 | CKV_K8S_91 | resource | StatefulSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3056 | CKV_K8S_92 | resource | CronJob | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3057 | CKV_K8S_92 | resource | DaemonSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3058 | CKV_K8S_92 | resource | Deployment | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3059 | CKV_K8S_92 | resource | DeploymentConfig | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3060 | CKV_K8S_92 | resource | Job | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3061 | CKV_K8S_92 | resource | Pod | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3062 | CKV_K8S_92 | resource | PodTemplate | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3063 | CKV_K8S_92 | resource | ReplicaSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3064 | CKV_K8S_92 | resource | ReplicationController | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3065 | CKV_K8S_92 | resource | StatefulSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3066 | CKV_K8S_93 | resource | CronJob | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3067 | CKV_K8S_93 | resource | DaemonSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3068 | CKV_K8S_93 | resource | Deployment | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3069 | CKV_K8S_93 | resource | DeploymentConfig | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3070 | CKV_K8S_93 | resource | Job | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3071 | CKV_K8S_93 | resource | Pod | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3072 | CKV_K8S_93 | resource | PodTemplate | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3073 | CKV_K8S_93 | resource | ReplicaSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3074 | CKV_K8S_93 | resource | ReplicationController | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3075 | CKV_K8S_93 | resource | StatefulSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3076 | CKV_K8S_94 | resource | CronJob | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3077 | CKV_K8S_94 | resource | DaemonSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3078 | CKV_K8S_94 | resource | Deployment | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3079 | CKV_K8S_94 | resource | DeploymentConfig | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3080 | CKV_K8S_94 | resource | Job | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3081 | CKV_K8S_94 | resource | Pod | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3082 | CKV_K8S_94 | resource | PodTemplate | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3083 | CKV_K8S_94 | resource | ReplicaSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3084 | CKV_K8S_94 | resource | ReplicationController | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3085 | CKV_K8S_94 | resource | StatefulSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3086 | CKV_K8S_95 | resource | CronJob | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3087 | CKV_K8S_95 | resource | DaemonSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3088 | CKV_K8S_95 | resource | Deployment | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3089 | CKV_K8S_95 | resource | DeploymentConfig | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3090 | CKV_K8S_95 | resource | Job | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3091 | CKV_K8S_95 | resource | Pod | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3092 | CKV_K8S_95 | resource | PodTemplate | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3093 | CKV_K8S_95 | resource | ReplicaSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3094 | CKV_K8S_95 | resource | ReplicationController | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3095 | CKV_K8S_95 | resource | StatefulSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3096 | CKV_K8S_96 | resource | CronJob | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3097 | CKV_K8S_96 | resource | DaemonSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3098 | CKV_K8S_96 | resource | Deployment | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3099 | CKV_K8S_96 | resource | DeploymentConfig | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3100 | CKV_K8S_96 | resource | Job | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3101 | CKV_K8S_96 | resource | Pod | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3102 | CKV_K8S_96 | resource | PodTemplate | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3103 | CKV_K8S_96 | resource | ReplicaSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3104 | CKV_K8S_96 | resource | ReplicationController | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3105 | CKV_K8S_96 | resource | StatefulSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3106 | CKV_K8S_97 | resource | CronJob | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3107 | CKV_K8S_97 | resource | DaemonSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3108 | CKV_K8S_97 | resource | Deployment | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3109 | CKV_K8S_97 | resource | DeploymentConfig | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3110 | CKV_K8S_97 | resource | Job | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3111 | CKV_K8S_97 | resource | Pod | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3112 | CKV_K8S_97 | resource | PodTemplate | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3113 | CKV_K8S_97 | resource | ReplicaSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3114 | CKV_K8S_97 | resource | ReplicationController | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3115 | CKV_K8S_97 | resource | StatefulSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3116 | CKV_K8S_99 | resource | CronJob | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3117 | CKV_K8S_99 | resource | DaemonSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3118 | CKV_K8S_99 | resource | Deployment | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3119 | CKV_K8S_99 | resource | DeploymentConfig | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3120 | CKV_K8S_99 | resource | Job | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3121 | CKV_K8S_99 | resource | Pod | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3122 | CKV_K8S_99 | resource | PodTemplate | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3123 | CKV_K8S_99 | resource | ReplicaSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3124 | CKV_K8S_99 | resource | ReplicationController | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3125 | CKV_K8S_99 | resource | StatefulSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3126 | CKV_K8S_100 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3127 | CKV_K8S_100 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3128 | CKV_K8S_100 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3129 | CKV_K8S_100 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3130 | CKV_K8S_100 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3131 | CKV_K8S_100 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3132 | CKV_K8S_100 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3133 | CKV_K8S_100 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3134 | CKV_K8S_100 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3135 | CKV_K8S_100 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3136 | CKV_K8S_102 | resource | CronJob | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3137 | CKV_K8S_102 | resource | DaemonSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3138 | CKV_K8S_102 | resource | Deployment | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3139 | CKV_K8S_102 | resource | DeploymentConfig | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3140 | CKV_K8S_102 | resource | Job | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3141 | CKV_K8S_102 | resource | Pod | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3142 | CKV_K8S_102 | resource | PodTemplate | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3143 | CKV_K8S_102 | resource | ReplicaSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3144 | CKV_K8S_102 | resource | ReplicationController | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3145 | CKV_K8S_102 | resource | StatefulSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3146 | CKV_K8S_104 | resource | CronJob | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3147 | CKV_K8S_104 | resource | DaemonSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3148 | CKV_K8S_104 | resource | Deployment | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3149 | CKV_K8S_104 | resource | DeploymentConfig | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3150 | CKV_K8S_104 | resource | Job | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3151 | CKV_K8S_104 | resource | Pod | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3152 | CKV_K8S_104 | resource | PodTemplate | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3153 | CKV_K8S_104 | resource | ReplicaSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3154 | CKV_K8S_104 | resource | ReplicationController | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3155 | CKV_K8S_104 | resource | StatefulSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3156 | CKV_K8S_105 | resource | CronJob | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3157 | CKV_K8S_105 | resource | DaemonSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3158 | CKV_K8S_105 | resource | Deployment | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3159 | CKV_K8S_105 | resource | DeploymentConfig | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3160 | CKV_K8S_105 | resource | Job | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3161 | CKV_K8S_105 | resource | Pod | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3162 | CKV_K8S_105 | resource | PodTemplate | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3163 | CKV_K8S_105 | resource | ReplicaSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3164 | CKV_K8S_105 | resource | ReplicationController | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3165 | CKV_K8S_105 | resource | StatefulSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3166 | CKV_K8S_106 | resource | CronJob | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3167 | CKV_K8S_106 | resource | DaemonSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3168 | CKV_K8S_106 | resource | Deployment | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3169 | CKV_K8S_106 | resource | DeploymentConfig | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3170 | CKV_K8S_106 | resource | Job | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3171 | CKV_K8S_106 | resource | Pod | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3172 | CKV_K8S_106 | resource | PodTemplate | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3173 | CKV_K8S_106 | resource | ReplicaSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3174 | CKV_K8S_106 | resource | ReplicationController | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3175 | CKV_K8S_106 | resource | StatefulSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3176 | CKV_K8S_107 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3177 | CKV_K8S_107 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3178 | CKV_K8S_107 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3179 | CKV_K8S_107 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3180 | CKV_K8S_107 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3181 | CKV_K8S_107 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3182 | CKV_K8S_107 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3183 | CKV_K8S_107 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3184 | CKV_K8S_107 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3185 | CKV_K8S_107 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3186 | CKV_K8S_108 | resource | CronJob | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3187 | CKV_K8S_108 | resource | DaemonSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3188 | CKV_K8S_108 | resource | Deployment | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3189 | CKV_K8S_108 | resource | DeploymentConfig | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3190 | CKV_K8S_108 | resource | Job | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3191 | CKV_K8S_108 | resource | Pod | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3192 | CKV_K8S_108 | resource | PodTemplate | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3193 | CKV_K8S_108 | resource | ReplicaSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3194 | CKV_K8S_108 | resource | ReplicationController | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3195 | CKV_K8S_108 | resource | StatefulSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3196 | CKV_K8S_110 | resource | CronJob | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3197 | CKV_K8S_110 | resource | DaemonSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3198 | CKV_K8S_110 | resource | Deployment | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3199 | CKV_K8S_110 | resource | DeploymentConfig | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3200 | CKV_K8S_110 | resource | Job | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3201 | CKV_K8S_110 | resource | Pod | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3202 | CKV_K8S_110 | resource | PodTemplate | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3203 | CKV_K8S_110 | resource | ReplicaSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3204 | CKV_K8S_110 | resource | ReplicationController | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3205 | CKV_K8S_110 | resource | StatefulSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3206 | CKV_K8S_111 | resource | CronJob | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3207 | CKV_K8S_111 | resource | DaemonSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3208 | CKV_K8S_111 | resource | Deployment | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3209 | CKV_K8S_111 | resource | DeploymentConfig | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3210 | CKV_K8S_111 | resource | Job | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3211 | CKV_K8S_111 | resource | Pod | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3212 | CKV_K8S_111 | resource | PodTemplate | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3213 | CKV_K8S_111 | resource | ReplicaSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3214 | CKV_K8S_111 | resource | ReplicationController | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3215 | CKV_K8S_111 | resource | StatefulSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3216 | CKV_K8S_112 | resource | CronJob | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3217 | CKV_K8S_112 | resource | DaemonSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3218 | CKV_K8S_112 | resource | Deployment | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3219 | CKV_K8S_112 | resource | DeploymentConfig | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3220 | CKV_K8S_112 | resource | Job | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3221 | CKV_K8S_112 | resource | Pod | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3222 | CKV_K8S_112 | resource | PodTemplate | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3223 | CKV_K8S_112 | resource | ReplicaSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3224 | CKV_K8S_112 | resource | ReplicationController | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3225 | CKV_K8S_112 | resource | StatefulSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3226 | CKV_K8S_113 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3227 | CKV_K8S_113 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3228 | CKV_K8S_113 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3229 | CKV_K8S_113 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3230 | CKV_K8S_113 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3231 | CKV_K8S_113 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3232 | CKV_K8S_113 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3233 | CKV_K8S_113 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3234 | CKV_K8S_113 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3235 | CKV_K8S_113 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3236 | CKV_K8S_114 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3237 | CKV_K8S_114 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3238 | CKV_K8S_114 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3239 | CKV_K8S_114 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3240 | CKV_K8S_114 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3241 | CKV_K8S_114 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3242 | CKV_K8S_114 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3243 | CKV_K8S_114 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3244 | CKV_K8S_114 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3245 | CKV_K8S_114 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3246 | CKV_K8S_115 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3247 | CKV_K8S_115 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3248 | CKV_K8S_115 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3249 | CKV_K8S_115 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3250 | CKV_K8S_115 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3251 | CKV_K8S_115 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3252 | CKV_K8S_115 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3253 | CKV_K8S_115 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3254 | CKV_K8S_115 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3255 | CKV_K8S_115 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3256 | CKV_K8S_116 | resource | CronJob | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3257 | CKV_K8S_116 | resource | DaemonSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3258 | CKV_K8S_116 | resource | Deployment | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3259 | CKV_K8S_116 | resource | DeploymentConfig | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3260 | CKV_K8S_116 | resource | Job | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3261 | CKV_K8S_116 | resource | Pod | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3262 | CKV_K8S_116 | resource | PodTemplate | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3263 | CKV_K8S_116 | resource | ReplicaSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3264 | CKV_K8S_116 | resource | ReplicationController | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3265 | CKV_K8S_116 | resource | StatefulSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3266 | CKV_K8S_117 | resource | CronJob | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3267 | CKV_K8S_117 | resource | DaemonSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3268 | CKV_K8S_117 | resource | Deployment | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3269 | CKV_K8S_117 | resource | DeploymentConfig | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3270 | CKV_K8S_117 | resource | Job | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3271 | CKV_K8S_117 | resource | Pod | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3272 | CKV_K8S_117 | resource | PodTemplate | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3273 | CKV_K8S_117 | resource | ReplicaSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3274 | CKV_K8S_117 | resource | ReplicationController | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3275 | CKV_K8S_117 | resource | StatefulSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3276 | CKV_K8S_118 | resource | CronJob | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3277 | CKV_K8S_118 | resource | DaemonSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3278 | CKV_K8S_118 | resource | Deployment | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3279 | CKV_K8S_118 | resource | DeploymentConfig | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3280 | CKV_K8S_118 | resource | Job | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3281 | CKV_K8S_118 | resource | Pod | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3282 | CKV_K8S_118 | resource | PodTemplate | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3283 | CKV_K8S_118 | resource | ReplicaSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3284 | CKV_K8S_118 | resource | ReplicationController | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3285 | CKV_K8S_118 | resource | StatefulSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3286 | CKV_K8S_119 | resource | CronJob | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3287 | CKV_K8S_119 | resource | DaemonSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3288 | CKV_K8S_119 | resource | Deployment | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3289 | CKV_K8S_119 | resource | DeploymentConfig | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3290 | CKV_K8S_119 | resource | Job | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3291 | CKV_K8S_119 | resource | Pod | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3292 | CKV_K8S_119 | resource | PodTemplate | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3293 | CKV_K8S_119 | resource | ReplicaSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3294 | CKV_K8S_119 | resource | ReplicationController | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3295 | CKV_K8S_119 | resource | StatefulSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3296 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | [PeerClientCertAuthTrue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py) | +| 3297 | CKV_K8S_138 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3298 | CKV_K8S_138 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3299 | CKV_K8S_138 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3300 | CKV_K8S_138 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3301 | CKV_K8S_138 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3302 | CKV_K8S_138 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3303 | CKV_K8S_138 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3304 | CKV_K8S_138 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3305 | CKV_K8S_138 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3306 | CKV_K8S_138 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3307 | CKV_K8S_139 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3308 | CKV_K8S_139 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3309 | CKV_K8S_139 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3310 | CKV_K8S_139 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3311 | CKV_K8S_139 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3312 | CKV_K8S_139 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3313 | CKV_K8S_139 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3314 | CKV_K8S_139 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3315 | CKV_K8S_139 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3316 | CKV_K8S_139 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3317 | CKV_K8S_140 | resource | CronJob | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3318 | CKV_K8S_140 | resource | DaemonSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3319 | CKV_K8S_140 | resource | Deployment | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3320 | CKV_K8S_140 | resource | DeploymentConfig | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3321 | CKV_K8S_140 | resource | Job | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3322 | CKV_K8S_140 | resource | Pod | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3323 | CKV_K8S_140 | resource | PodTemplate | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3324 | CKV_K8S_140 | resource | ReplicaSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3325 | CKV_K8S_140 | resource | ReplicationController | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3326 | CKV_K8S_140 | resource | StatefulSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3327 | CKV_K8S_141 | resource | CronJob | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3328 | CKV_K8S_141 | resource | DaemonSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3329 | CKV_K8S_141 | resource | Deployment | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3330 | CKV_K8S_141 | resource | DeploymentConfig | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3331 | CKV_K8S_141 | resource | Job | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3332 | CKV_K8S_141 | resource | Pod | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3333 | CKV_K8S_141 | resource | PodTemplate | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3334 | CKV_K8S_141 | resource | ReplicaSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3335 | CKV_K8S_141 | resource | ReplicationController | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3336 | CKV_K8S_141 | resource | StatefulSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3337 | CKV_K8S_143 | resource | CronJob | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3338 | CKV_K8S_143 | resource | DaemonSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3339 | CKV_K8S_143 | resource | Deployment | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3340 | CKV_K8S_143 | resource | DeploymentConfig | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3341 | CKV_K8S_143 | resource | Job | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3342 | CKV_K8S_143 | resource | Pod | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3343 | CKV_K8S_143 | resource | PodTemplate | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3344 | CKV_K8S_143 | resource | ReplicaSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3345 | CKV_K8S_143 | resource | ReplicationController | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3346 | CKV_K8S_143 | resource | StatefulSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3347 | CKV_K8S_144 | resource | CronJob | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3348 | CKV_K8S_144 | resource | DaemonSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3349 | CKV_K8S_144 | resource | Deployment | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3350 | CKV_K8S_144 | resource | DeploymentConfig | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3351 | CKV_K8S_144 | resource | Job | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3352 | CKV_K8S_144 | resource | Pod | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3353 | CKV_K8S_144 | resource | PodTemplate | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3354 | CKV_K8S_144 | resource | ReplicaSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3355 | CKV_K8S_144 | resource | ReplicationController | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3356 | CKV_K8S_144 | resource | StatefulSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3357 | CKV_K8S_145 | resource | CronJob | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3358 | CKV_K8S_145 | resource | DaemonSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3359 | CKV_K8S_145 | resource | Deployment | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3360 | CKV_K8S_145 | resource | DeploymentConfig | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3361 | CKV_K8S_145 | resource | Job | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3362 | CKV_K8S_145 | resource | Pod | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3363 | CKV_K8S_145 | resource | PodTemplate | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3364 | CKV_K8S_145 | resource | ReplicaSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3365 | CKV_K8S_145 | resource | ReplicationController | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3366 | CKV_K8S_145 | resource | StatefulSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3367 | CKV_K8S_146 | resource | CronJob | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3368 | CKV_K8S_146 | resource | DaemonSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3369 | CKV_K8S_146 | resource | Deployment | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3370 | CKV_K8S_146 | resource | DeploymentConfig | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3371 | CKV_K8S_146 | resource | Job | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3372 | CKV_K8S_146 | resource | Pod | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3373 | CKV_K8S_146 | resource | PodTemplate | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3374 | CKV_K8S_146 | resource | ReplicaSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3375 | CKV_K8S_146 | resource | ReplicationController | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3376 | CKV_K8S_146 | resource | StatefulSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3377 | CKV_K8S_147 | resource | CronJob | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3378 | CKV_K8S_147 | resource | DaemonSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3379 | CKV_K8S_147 | resource | Deployment | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3380 | CKV_K8S_147 | resource | DeploymentConfig | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3381 | CKV_K8S_147 | resource | Job | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3382 | CKV_K8S_147 | resource | Pod | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3383 | CKV_K8S_147 | resource | PodTemplate | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3384 | CKV_K8S_147 | resource | ReplicaSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3385 | CKV_K8S_147 | resource | ReplicationController | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3386 | CKV_K8S_147 | resource | StatefulSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3387 | CKV_K8S_148 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3388 | CKV_K8S_148 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3389 | CKV_K8S_148 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3390 | CKV_K8S_148 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3391 | CKV_K8S_148 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3392 | CKV_K8S_148 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3393 | CKV_K8S_148 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3394 | CKV_K8S_148 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3395 | CKV_K8S_148 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3396 | CKV_K8S_148 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3397 | CKV_K8S_149 | resource | CronJob | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3398 | CKV_K8S_149 | resource | DaemonSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3399 | CKV_K8S_149 | resource | Deployment | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3400 | CKV_K8S_149 | resource | DeploymentConfig | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3401 | CKV_K8S_149 | resource | Job | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3402 | CKV_K8S_149 | resource | Pod | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3403 | CKV_K8S_149 | resource | PodTemplate | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3404 | CKV_K8S_149 | resource | ReplicaSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3405 | CKV_K8S_149 | resource | ReplicationController | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3406 | CKV_K8S_149 | resource | StatefulSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3407 | CKV_K8S_151 | resource | CronJob | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3408 | CKV_K8S_151 | resource | DaemonSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3409 | CKV_K8S_151 | resource | Deployment | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3410 | CKV_K8S_151 | resource | DeploymentConfig | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3411 | CKV_K8S_151 | resource | Job | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3412 | CKV_K8S_151 | resource | Pod | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3413 | CKV_K8S_151 | resource | PodTemplate | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3414 | CKV_K8S_151 | resource | ReplicaSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3415 | CKV_K8S_151 | resource | ReplicationController | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3416 | CKV_K8S_151 | resource | StatefulSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3417 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Lua.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py) | +| 3418 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742AllSnippets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py) | +| 3419 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Alias.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py) | +| 3420 | CKV_K8S_155 | resource | ClusterRole | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | Kubernetes | [RbacControlWebhooks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py) | +| 3421 | CKV_K8S_156 | resource | ClusterRole | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | Kubernetes | [RbacApproveCertificateSigningRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py) | +| 3422 | CKV_K8S_157 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | +| 3423 | CKV_K8S_157 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | +| 3424 | CKV_K8S_158 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | +| 3425 | CKV_K8S_158 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | +| 3426 | CKV2_K8S_1 | resource | ClusterRole | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3427 | CKV2_K8S_1 | resource | ClusterRoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3428 | CKV2_K8S_1 | resource | Role | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3429 | CKV2_K8S_1 | resource | RoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3430 | CKV2_K8S_2 | resource | ClusterRole | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3431 | CKV2_K8S_2 | resource | ClusterRoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3432 | CKV2_K8S_2 | resource | Role | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3433 | CKV2_K8S_2 | resource | RoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3434 | CKV2_K8S_3 | resource | ClusterRole | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3435 | CKV2_K8S_3 | resource | ClusterRoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3436 | CKV2_K8S_3 | resource | Role | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3437 | CKV2_K8S_3 | resource | RoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3438 | CKV2_K8S_4 | resource | ClusterRole | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3439 | CKV2_K8S_4 | resource | ClusterRoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3440 | CKV2_K8S_4 | resource | Role | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3441 | CKV2_K8S_4 | resource | RoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3442 | CKV2_K8S_5 | resource | ClusterRole | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3443 | CKV2_K8S_5 | resource | ClusterRoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3444 | CKV2_K8S_5 | resource | Role | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3445 | CKV2_K8S_5 | resource | RoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3446 | CKV2_K8S_6 | resource | Deployment | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | +| 3447 | CKV2_K8S_6 | resource | Pod | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | +| 3448 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | +| 3449 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | +| 3450 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | +| 3451 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | +| 3452 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | +| 3453 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | +| 3454 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | +| 3455 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 3456 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 3457 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | +| 3458 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | +| 3459 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | +| 3460 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | +| 3461 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | +| 3462 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | +| 3463 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | +| 3464 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | +| 3465 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | +| 3466 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | +| 3467 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | +| 3468 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | +| 3469 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | +| 3470 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | +| 3471 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 3472 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 3473 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | +| 3474 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | +| 3475 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | +| 3476 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 3477 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 3478 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | +| 3479 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | +| 3480 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | +| 3481 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | +| 3482 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | +| 3483 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | +| 3484 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | +| 3485 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | +| 3486 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | +| 3487 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | +| 3488 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | +| 3489 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | +| 3490 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | +| 3491 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | +| 3492 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | +| 3493 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | +| 3494 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | +| 3495 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | +| 3496 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | +| 3497 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | +| 3498 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | +| 3499 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | +| 3500 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | +| 3501 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | +| 3502 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | +| 3503 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | +| 3504 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3505 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3506 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3507 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | +| 3508 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | +| 3509 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | +| 3510 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | +| 3511 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | +| 3512 | CKV_OPENAPI_1 | resource | securityDefinitions | Ensure that securityDefinitions is defined and not empty - version 2.0 files | OpenAPI | [SecurityDefinitions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitions.py) | +| 3513 | CKV_OPENAPI_2 | resource | security | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files | OpenAPI | [Oauth2SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityRequirement.py) | +| 3514 | CKV_OPENAPI_3 | resource | components | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files | OpenAPI | [CleartextOverUnencryptedChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py) | +| 3515 | CKV_OPENAPI_4 | resource | security | Ensure that the global security field has rules defined | OpenAPI | [GlobalSecurityFieldIsEmpty.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/GlobalSecurityFieldIsEmpty.py) | +| 3516 | CKV_OPENAPI_5 | resource | security | Ensure that security operations is not empty. | OpenAPI | [SecurityOperations.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/SecurityOperations.py) | +| 3517 | CKV_OPENAPI_6 | resource | security | Ensure that security requirement defined in securityDefinitions - version 2.0 files | OpenAPI | [SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityRequirement.py) | +| 3518 | CKV_OPENAPI_7 | resource | security | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files | OpenAPI | [PathSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/PathSchemeDefineHTTP.py) | +| 3519 | CKV_OPENAPI_8 | resource | security | Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityPasswordFlow.py) | +| 3520 | CKV_OPENAPI_9 | resource | paths | Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files | OpenAPI | [OperationObjectSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py) | +| 3521 | CKV_OPENAPI_10 | resource | paths | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2OperationObjectPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2OperationObjectPasswordFlow.py) | +| 3522 | CKV_OPENAPI_11 | resource | securityDefinitions | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionPasswordFlow.py) | +| 3523 | CKV_OPENAPI_12 | resource | securityDefinitions | Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionImplicitFlow.py) | +| 3524 | CKV_OPENAPI_13 | resource | securityDefinitions | Ensure security definitions do not use basic auth - version 2.0 files | OpenAPI | [SecurityDefinitionBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitionBasicAuth.py) | +| 3525 | CKV_OPENAPI_14 | resource | paths | Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files | OpenAPI | [OperationObjectImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectImplicitFlow.py) | +| 3526 | CKV_OPENAPI_15 | resource | paths | Ensure that operation objects do not use basic auth - version 2.0 files | OpenAPI | [OperationObjectBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectBasicAuth.py) | +| 3527 | CKV_OPENAPI_16 | resource | paths | Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files | OpenAPI | [OperationObjectProducesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectProducesUndefined.py) | +| 3528 | CKV_OPENAPI_17 | resource | paths | Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files | OpenAPI | [OperationObjectConsumesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectConsumesUndefined.py) | +| 3529 | CKV_OPENAPI_18 | resource | schemes | Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files | OpenAPI | [GlobalSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSchemeDefineHTTP.py) | +| 3530 | CKV_OPENAPI_19 | resource | security | Ensure that global security scope is defined in securityDefinitions - version 2.0 files | OpenAPI | [GlobalSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSecurityScopeUndefined.py) | +| 3531 | CKV_OPENAPI_20 | resource | paths | Ensure that API keys are not sent over cleartext | OpenAPI | [ClearTextAPIKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py) | +| 3532 | CKV_OPENAPI_21 | resource | paths | Ensure that arrays have a maximum number of items | OpenAPI | [NoMaximumNumberItems.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/NoMaximumNumberItems.py) | +| 3533 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | +| 3534 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 3535 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 3536 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 3537 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 3538 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | +| 3539 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | +| 3540 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | +| 3541 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | +| 3542 | CKV_PAN_2 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoHTTP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml) | +| 3543 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | +| 3544 | CKV_PAN_3 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoTelnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml) | +| 3545 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 3546 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 3547 | CKV_PAN_4 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure DSRI is not enabled within security policies | Ansible | [PanosPolicyNoDSRI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml) | +| 3548 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 3549 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 3550 | CKV_PAN_5 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'application' set to 'any' | Ansible | [PanosPolicyNoApplicationAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml) | +| 3551 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 3552 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 3553 | CKV_PAN_6 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'service' set to 'any' | Ansible | [PanosPolicyNoServiceAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml) | +| 3554 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 3555 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 3556 | CKV_PAN_7 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any' | Ansible | [PanosPolicyNoSrcAnyDstAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml) | +| 3557 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 3558 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 3559 | CKV_PAN_8 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure description is populated within security policies | Ansible | [PanosPolicyDescription.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml) | +| 3560 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 3561 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 3562 | CKV_PAN_9 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure a Log Forwarding Profile is selected for each security policy rule | Ansible | [PanosPolicyLogForwarding.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml) | +| 3563 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 3564 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 3565 | CKV_PAN_10 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure logging at session end is enabled within security policies | Ansible | [PanosPolicyLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml) | +| 3566 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 3567 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 3568 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 3569 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 3570 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 3571 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 3572 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3573 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3574 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3575 | CKV_PAN_14 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Ansible | [PanosZoneProtectionProfile.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml) | +| 3576 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 3577 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 3578 | CKV_PAN_15 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Ansible | [PanosZoneUserIDIncludeACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml) | +| 3579 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3580 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3581 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3582 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3583 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3584 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3585 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3586 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3587 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3588 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3589 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3590 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3591 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3592 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3593 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3594 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3595 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3596 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3597 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | +| 3598 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3599 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3600 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3601 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3602 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3603 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3604 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3605 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3606 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3607 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | +| 3608 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | +| 3609 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | +| 3610 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | +| 3611 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | +| 3612 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | +| 3613 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | +| 3614 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | +| 3615 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | +| 3616 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | +| 3617 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3618 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3619 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3620 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3621 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3622 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3623 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3624 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3625 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 3626 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 3627 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | +| 3628 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | +| 3629 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | +| 3630 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | +| 3631 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | +| 3632 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | +| 3633 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | +| 3634 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 3635 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 3636 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | +| 3637 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 3638 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 3639 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3640 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3641 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3642 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3643 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3644 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | --- diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 39255059663..1a4ed90a731 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -1402,665 +1402,680 @@ nav_order: 1 | 1391 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | | 1392 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | | 1393 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1394 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | -| 1395 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | -| 1396 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | -| 1397 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | -| 1398 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace is not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | -| 1399 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1400 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1401 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1402 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1403 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | -| 1404 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | -| 1405 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | -| 1406 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | -| 1407 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | -| 1408 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | -| 1409 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | -| 1410 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1411 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1412 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | -| 1413 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | -| 1414 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | -| 1415 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | -| 1416 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | -| 1417 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | -| 1418 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | -| 1419 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | -| 1420 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1421 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1422 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1423 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1424 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1425 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1426 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1427 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1428 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | -| 1429 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | -| 1430 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1431 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1432 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | -| 1433 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | -| 1434 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | -| 1435 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | -| 1436 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | -| 1437 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | -| 1438 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | -| 1439 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | -| 1440 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | -| 1441 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | -| 1442 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | -| 1443 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | -| 1444 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | -| 1445 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | -| 1446 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | -| 1447 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | -| 1448 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | -| 1449 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | -| 1450 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | -| 1451 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | -| 1452 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | -| 1453 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | -| 1454 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | -| 1455 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | -| 1456 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | -| 1457 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | -| 1458 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | -| 1459 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | -| 1460 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | -| 1461 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | -| 1462 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1463 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1464 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1465 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1466 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1467 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | -| 1468 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | -| 1469 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | -| 1470 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | -| 1471 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | -| 1472 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | -| 1473 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1474 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1475 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1476 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1477 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | -| 1478 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | -| 1479 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | -| 1480 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | -| 1481 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | -| 1482 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | -| 1483 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | -| 1484 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | -| 1485 | CKV_AZURE_228 | resource | azurerm_eventhub_namespace | Ensure the Azure Event Hub Namespace is zone redundant | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py) | -| 1486 | CKV_AZURE_229 | resource | azurerm_mssql_database | Ensure the Azure SQL Database Namespace is zone redundant | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py) | -| 1487 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | -| 1488 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1489 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1490 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1491 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1492 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1493 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1494 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1495 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1496 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1497 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1498 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1499 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1500 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1501 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1502 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 1503 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 1504 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | -| 1505 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1506 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1507 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1508 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | -| 1509 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 1510 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 1511 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | -| 1512 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | -| 1513 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 1514 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 1515 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 1516 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 1517 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | -| 1518 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 1519 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 1520 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 1521 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 1522 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | -| 1523 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1524 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1525 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1526 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1527 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1528 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1529 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 1530 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 1531 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | -| 1532 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | -| 1533 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | -| 1534 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | -| 1535 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | -| 1536 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | -| 1537 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | -| 1538 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | -| 1539 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | -| 1540 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | -| 1541 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | -| 1542 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | -| 1543 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | -| 1544 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | -| 1545 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | -| 1546 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | -| 1547 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | -| 1548 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | -| 1549 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | -| 1550 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | -| 1551 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | -| 1552 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | -| 1553 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | -| 1554 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | -| 1555 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | -| 1556 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | -| 1557 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | -| 1558 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | -| 1559 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | -| 1560 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | -| 1561 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | -| 1562 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | -| 1563 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | -| 1564 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | -| 1565 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | -| 1566 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | -| 1567 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | -| 1568 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | -| 1569 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py) | -| 1570 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | -| 1571 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | -| 1572 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | -| 1573 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | -| 1574 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | -| 1575 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | -| 1576 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | -| 1577 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | -| 1578 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 1579 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 1580 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | -| 1581 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1582 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1583 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1584 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1585 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1586 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1587 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1588 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1589 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1590 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | -| 1591 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1592 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1593 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1594 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1595 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1596 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1597 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1598 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1599 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1600 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | -| 1601 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | -| 1602 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1603 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1604 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1605 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1606 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1607 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1608 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 1609 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 1610 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | -| 1611 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | -| 1612 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 1613 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 1614 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 1615 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 1616 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 1617 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 1618 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 1619 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 1620 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 1621 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 1622 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 1623 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 1624 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | -| 1625 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | -| 1626 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | -| 1627 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | -| 1628 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | -| 1629 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | -| 1630 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | -| 1631 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | -| 1632 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | -| 1633 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | -| 1634 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | -| 1635 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | -| 1636 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | -| 1637 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | -| 1638 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | -| 1639 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | -| 1640 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | -| 1641 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 1642 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 1643 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 1644 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 1645 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | -| 1646 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | -| 1647 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 1648 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 1649 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | -| 1650 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | -| 1651 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | -| 1652 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | -| 1653 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | -| 1654 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | -| 1655 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | -| 1656 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | -| 1657 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | -| 1658 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | -| 1659 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | -| 1660 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | -| 1661 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | -| 1662 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | -| 1663 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | -| 1664 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | -| 1665 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | -| 1666 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | -| 1667 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | -| 1668 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | -| 1669 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | -| 1670 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | -| 1671 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | -| 1672 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | -| 1673 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | -| 1674 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 1675 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 1676 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 1677 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 1678 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 1679 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 1680 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 1681 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 1682 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 1683 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 1684 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | -| 1685 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | -| 1686 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | -| 1687 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | -| 1688 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1689 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1690 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1691 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1692 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | -| 1693 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | -| 1694 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | -| 1695 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | -| 1696 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1697 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1698 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1699 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | -| 1700 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | -| 1701 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 1702 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 1703 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 1704 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 1705 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 1706 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 1707 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | -| 1708 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | -| 1709 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | -| 1710 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | -| 1711 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1712 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1713 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1714 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1715 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 1716 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 1717 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1718 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1719 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1720 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 1721 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 1722 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1723 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1724 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1725 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1726 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1727 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1728 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | -| 1729 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | -| 1730 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | -| 1731 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | -| 1732 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | -| 1733 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | -| 1734 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | -| 1735 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | -| 1736 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | -| 1737 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | -| 1738 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | -| 1739 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | -| 1740 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | -| 1741 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | -| 1742 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1743 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1744 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1745 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 1746 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 1747 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 1748 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 1749 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | -| 1750 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | -| 1751 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | -| 1752 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | -| 1753 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | -| 1754 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | -| 1755 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | -| 1756 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | -| 1757 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | -| 1758 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | -| 1759 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | -| 1760 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | -| 1761 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1762 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1763 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1764 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1765 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1766 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1767 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1768 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1769 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1770 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1771 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1772 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1773 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1774 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1775 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1776 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1777 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1778 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1779 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1780 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1781 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1782 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1783 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1784 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1785 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1786 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1787 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1788 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1789 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1790 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1791 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1792 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1793 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1794 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1795 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1796 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1797 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1798 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1799 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1800 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1801 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1802 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1803 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1804 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1805 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1806 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1807 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1808 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1809 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1810 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1811 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1812 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1813 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1814 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1815 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1816 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1817 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1818 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1819 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1820 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1821 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1822 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1823 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1824 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1825 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1826 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1827 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1828 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1829 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1830 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1831 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1832 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1833 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1834 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1835 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1836 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1837 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1838 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1839 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1840 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1841 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1842 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1843 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | -| 1844 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1845 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1846 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1847 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1848 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1849 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1850 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1851 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1852 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1853 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1854 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1855 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1856 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1857 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1858 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1859 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1860 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1861 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1862 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1863 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1864 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1865 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1866 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1867 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1868 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1869 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1870 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1871 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1872 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | -| 1873 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1874 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1875 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1876 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1877 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1878 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1879 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1880 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1881 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | -| 1882 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1883 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1884 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1885 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1886 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1887 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1888 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1889 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1890 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 1891 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 1892 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1893 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1894 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1895 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1896 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1897 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1898 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1899 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1900 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 1901 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 1902 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1903 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1904 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1905 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1906 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | -| 1907 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | -| 1908 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | -| 1909 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | -| 1910 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | -| 1911 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | -| 1912 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | -| 1913 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 1914 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 1915 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | -| 1916 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | -| 1917 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | -| 1918 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | -| 1919 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | -| 1920 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | -| 1921 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | -| 1922 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | -| 1923 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | -| 1924 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | -| 1925 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | -| 1926 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | -| 1927 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | -| 1928 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | -| 1929 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 1930 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 1931 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | -| 1932 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | -| 1933 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | -| 1934 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 1935 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 1936 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | -| 1937 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | -| 1938 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | -| 1939 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | -| 1940 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | -| 1941 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | -| 1942 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | -| 1943 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | -| 1944 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | -| 1945 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | -| 1946 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | -| 1947 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | -| 1948 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | -| 1949 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | -| 1950 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | -| 1951 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | -| 1952 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | -| 1953 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | -| 1954 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | -| 1955 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | -| 1956 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | -| 1957 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | -| 1958 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | -| 1959 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | -| 1960 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | -| 1961 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | -| 1962 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 1963 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 1964 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 1965 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | -| 1966 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | -| 1967 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | -| 1968 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | -| 1969 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | -| 1970 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | -| 1971 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 1972 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 1973 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 1974 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 1975 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | -| 1976 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | -| 1977 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | -| 1978 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | -| 1979 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | -| 1980 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 1981 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 1982 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 1983 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 1984 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 1985 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 1986 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 1987 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 1988 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 1989 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 1990 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 1991 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 1992 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 1993 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 1994 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 1995 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 1996 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 1997 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 1998 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 1999 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 2000 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 2001 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 2002 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 2003 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 2004 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 2005 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | -| 2006 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2007 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2008 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2009 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2010 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2011 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2012 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2013 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2014 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2015 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | -| 2016 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | -| 2017 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | -| 2018 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | -| 2019 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | -| 2020 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | -| 2021 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | -| 2022 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | -| 2023 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | -| 2024 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | -| 2025 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2026 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2027 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2028 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2029 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2030 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2031 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2032 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2033 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 2034 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 2035 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | -| 2036 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | -| 2037 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | -| 2038 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | -| 2039 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | -| 2040 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | -| 2041 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | -| 2042 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 2043 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 2044 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | -| 2045 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 2046 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 2047 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2048 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2049 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2050 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2051 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2052 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 1394 | CKV_AZURE_153 | resource | azurerm_linux_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1395 | CKV_AZURE_153 | resource | azurerm_windows_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1396 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | +| 1397 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | +| 1398 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | +| 1399 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | +| 1400 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace is not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | +| 1401 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1402 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1403 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1404 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1405 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | +| 1406 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | +| 1407 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | +| 1408 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | +| 1409 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | +| 1410 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | +| 1411 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | +| 1412 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1413 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1414 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | +| 1415 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | +| 1416 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | +| 1417 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | +| 1418 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | +| 1419 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | +| 1420 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | +| 1421 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | +| 1422 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1423 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1424 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1425 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1426 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1427 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1428 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1429 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1430 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | +| 1431 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | +| 1432 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1433 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1434 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | +| 1435 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | +| 1436 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | +| 1437 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | +| 1438 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | +| 1439 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | +| 1440 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | +| 1441 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | +| 1442 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | +| 1443 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | +| 1444 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | +| 1445 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | +| 1446 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | +| 1447 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | +| 1448 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | +| 1449 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | +| 1450 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | +| 1451 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | +| 1452 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | +| 1453 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | +| 1454 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | +| 1455 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | +| 1456 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | +| 1457 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | +| 1458 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | +| 1459 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | +| 1460 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | +| 1461 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | +| 1462 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | +| 1463 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | +| 1464 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1465 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1466 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1467 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1468 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1469 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | +| 1470 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | +| 1471 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | +| 1472 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | +| 1473 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | +| 1474 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | +| 1475 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1476 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1477 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1478 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1479 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1480 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1481 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | +| 1482 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | +| 1483 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | +| 1484 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | +| 1485 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1486 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1487 | CKV_AZURE_228 | resource | azurerm_eventhub_namespace | Ensure the Azure Event Hub Namespace is zone redundant | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py) | +| 1488 | CKV_AZURE_229 | resource | azurerm_mssql_database | Ensure the Azure SQL Database Namespace is zone redundant | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py) | +| 1489 | CKV_AZURE_230 | resource | azurerm_redis_cache | Standard Replication should be enabled | Terraform | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py) | +| 1490 | CKV_AZURE_231 | resource | azurerm_app_service_environment_v3 | Ensure App Service Environment is zone redundant | Terraform | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py) | +| 1491 | CKV_AZURE_232 | resource | azurerm_kubernetes_cluster | Ensure that only critical system pods run on system nodes | Terraform | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py) | +| 1492 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | +| 1493 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1494 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1495 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1496 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1497 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1498 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1499 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1500 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1501 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1502 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1503 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1504 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1505 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1506 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1507 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 1508 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 1509 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | +| 1510 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1511 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1512 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1513 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | +| 1514 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 1515 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 1516 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | +| 1517 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | +| 1518 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 1519 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 1520 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 1521 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 1522 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | +| 1523 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 1524 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 1525 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 1526 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 1527 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | +| 1528 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1529 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1530 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1531 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1532 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1533 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1534 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 1535 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 1536 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | +| 1537 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | +| 1538 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | +| 1539 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | +| 1540 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | +| 1541 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | +| 1542 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | +| 1543 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | +| 1544 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | +| 1545 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | +| 1546 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | +| 1547 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | +| 1548 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | +| 1549 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | +| 1550 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | +| 1551 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | +| 1552 | CKV2_AZURE_39 | resource | azurerm_linux_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 1553 | CKV2_AZURE_39 | resource | azurerm_network_interface | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 1554 | CKV2_AZURE_39 | resource | azurerm_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 1555 | CKV2_AZURE_39 | resource | azurerm_windows_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 1556 | CKV2_AZURE_40 | resource | azurerm_storage_account | Ensure storage account is not configured with Shared Key authorization | Terraform | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml) | +| 1557 | CKV2_AZURE_41 | resource | azurerm_storage_account | Ensure storage account is configured with SAS expiration policy | Terraform | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml) | +| 1558 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | +| 1559 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | +| 1560 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | +| 1561 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | +| 1562 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | +| 1563 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | +| 1564 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | +| 1565 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | +| 1566 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | +| 1567 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | +| 1568 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | +| 1569 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | +| 1570 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | +| 1571 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | +| 1572 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | +| 1573 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | +| 1574 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | +| 1575 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | +| 1576 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | +| 1577 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | +| 1578 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | +| 1579 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | +| 1580 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py) | +| 1581 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | +| 1582 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | +| 1583 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | +| 1584 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | +| 1585 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | +| 1586 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | +| 1587 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | +| 1588 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | +| 1589 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 1590 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 1591 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | +| 1592 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1593 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1594 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1595 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1596 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1597 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1598 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1599 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1600 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1601 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | +| 1602 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1603 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1604 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1605 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1606 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1607 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1608 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1609 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1610 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1611 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | +| 1612 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | +| 1613 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1614 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1615 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1616 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1617 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1618 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1619 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 1620 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 1621 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | +| 1622 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | +| 1623 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 1624 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 1625 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 1626 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 1627 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 1628 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 1629 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 1630 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 1631 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 1632 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 1633 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 1634 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 1635 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | +| 1636 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | +| 1637 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | +| 1638 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | +| 1639 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | +| 1640 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | +| 1641 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | +| 1642 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | +| 1643 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | +| 1644 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | +| 1645 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | +| 1646 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | +| 1647 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | +| 1648 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | +| 1649 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | +| 1650 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | +| 1651 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | +| 1652 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 1653 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 1654 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 1655 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 1656 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | +| 1657 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | +| 1658 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 1659 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 1660 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | +| 1661 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | +| 1662 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | +| 1663 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | +| 1664 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | +| 1665 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | +| 1666 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | +| 1667 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | +| 1668 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | +| 1669 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | +| 1670 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | +| 1671 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | +| 1672 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | +| 1673 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | +| 1674 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | +| 1675 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | +| 1676 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | +| 1677 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | +| 1678 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | +| 1679 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | +| 1680 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | +| 1681 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | +| 1682 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | +| 1683 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | +| 1684 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | +| 1685 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 1686 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 1687 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 1688 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 1689 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 1690 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 1691 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 1692 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 1693 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 1694 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 1695 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | +| 1696 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | +| 1697 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | +| 1698 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | +| 1699 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1700 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1701 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1702 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1703 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | +| 1704 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | +| 1705 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | +| 1706 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | +| 1707 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1708 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1709 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1710 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | +| 1711 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | +| 1712 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 1713 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 1714 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 1715 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 1716 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 1717 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 1718 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | +| 1719 | CKV_GCP_119 | resource | google_spanner_database | Ensure Spanner Database has deletion protection enabled | Terraform | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py) | +| 1720 | CKV_GCP_120 | resource | google_spanner_database | Ensure Spanner Database has drop protection enabled | Terraform | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py) | +| 1721 | CKV_GCP_121 | resource | google_bigquery_table | Ensure BigQuery tables have deletion protection enabled | Terraform | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py) | +| 1722 | CKV_GCP_122 | resource | google_bigtable_instance | Ensure Big Table Instances have deletion protection enabled | Terraform | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py) | +| 1723 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | +| 1724 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | +| 1725 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | +| 1726 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1727 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1728 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1729 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1730 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 1731 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 1732 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1733 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1734 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1735 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 1736 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 1737 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1738 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1739 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1740 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1741 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1742 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1743 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | +| 1744 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | +| 1745 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | +| 1746 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | +| 1747 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | +| 1748 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | +| 1749 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | +| 1750 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | +| 1751 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | +| 1752 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | +| 1753 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | +| 1754 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | +| 1755 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | +| 1756 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | +| 1757 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1758 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1759 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1760 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 1761 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 1762 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 1763 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 1764 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | +| 1765 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | +| 1766 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | +| 1767 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | +| 1768 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | +| 1769 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | +| 1770 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | +| 1771 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | +| 1772 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | +| 1773 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | +| 1774 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | +| 1775 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | +| 1776 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1777 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1778 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1779 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1780 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1781 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1782 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1783 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1784 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1785 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1786 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1787 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1788 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1789 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1790 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1791 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1792 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1793 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1794 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1795 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1796 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1797 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1798 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1799 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1800 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1801 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1802 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1803 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1804 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1805 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1806 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1807 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1808 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1809 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1810 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1811 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1812 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1813 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1814 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1815 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1816 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1817 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1818 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1819 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1820 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1821 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1822 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1823 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1824 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1825 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1826 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1827 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1828 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1829 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1830 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1831 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1832 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1833 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1834 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1835 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1836 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1837 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1838 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1839 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1840 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1841 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1842 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1843 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1844 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1845 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1846 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1847 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1848 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1849 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1850 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1851 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1852 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1853 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1854 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1855 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1856 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1857 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1858 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | +| 1859 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1860 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1861 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1862 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1863 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1864 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1865 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1866 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1867 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1868 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1869 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1870 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1871 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1872 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1873 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1874 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1875 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1876 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1877 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1878 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1879 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1880 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1881 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1882 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1883 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1884 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1885 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1886 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1887 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | +| 1888 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1889 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1890 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1891 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1892 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1893 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1894 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1895 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1896 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | +| 1897 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1898 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1899 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1900 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1901 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1902 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1903 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1904 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1905 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 1906 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 1907 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1908 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1909 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1910 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1911 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1912 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1913 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1914 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1915 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 1916 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 1917 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1918 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1919 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1920 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1921 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | +| 1922 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | +| 1923 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | +| 1924 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | +| 1925 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | +| 1926 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | +| 1927 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | +| 1928 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 1929 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 1930 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | +| 1931 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | +| 1932 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | +| 1933 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | +| 1934 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | +| 1935 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | +| 1936 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | +| 1937 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | +| 1938 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | +| 1939 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | +| 1940 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | +| 1941 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | +| 1942 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | +| 1943 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | +| 1944 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 1945 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 1946 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | +| 1947 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | +| 1948 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | +| 1949 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 1950 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 1951 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | +| 1952 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | +| 1953 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | +| 1954 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | +| 1955 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | +| 1956 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | +| 1957 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | +| 1958 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | +| 1959 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | +| 1960 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | +| 1961 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | +| 1962 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | +| 1963 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | +| 1964 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | +| 1965 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | +| 1966 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | +| 1967 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | +| 1968 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | +| 1969 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | +| 1970 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | +| 1971 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | +| 1972 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | +| 1973 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | +| 1974 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | +| 1975 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | +| 1976 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | +| 1977 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 1978 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 1979 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 1980 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | +| 1981 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | +| 1982 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | +| 1983 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | +| 1984 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | +| 1985 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | +| 1986 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 1987 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 1988 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 1989 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 1990 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | +| 1991 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | +| 1992 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | +| 1993 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | +| 1994 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | +| 1995 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 1996 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 1997 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 1998 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 1999 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 2000 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 2001 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 2002 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 2003 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 2004 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 2005 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 2006 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 2007 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 2008 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 2009 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 2010 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 2011 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 2012 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 2013 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 2014 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 2015 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 2016 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 2017 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 2018 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 2019 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 2020 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | +| 2021 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2022 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2023 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2024 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2025 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2026 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2027 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2028 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2029 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2030 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | +| 2031 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | +| 2032 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | +| 2033 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | +| 2034 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | +| 2035 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | +| 2036 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | +| 2037 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | +| 2038 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | +| 2039 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | +| 2040 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2041 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2042 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2043 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2044 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2045 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2046 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2047 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2048 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 2049 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 2050 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | +| 2051 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | +| 2052 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | +| 2053 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | +| 2054 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | +| 2055 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | +| 2056 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | +| 2057 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 2058 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 2059 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | +| 2060 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 2061 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 2062 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2063 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2064 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2065 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2066 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2067 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | --- diff --git a/extra_stubs/docker/__init__.pyi b/extra_stubs/docker/__init__.pyi new file mode 100644 index 00000000000..af6e877d262 --- /dev/null +++ b/extra_stubs/docker/__init__.pyi @@ -0,0 +1,5 @@ +from .client import DockerClient, from_env + +__all__ = [ + "from_env", +] diff --git a/extra_stubs/docker/client.pyi b/extra_stubs/docker/client.pyi new file mode 100644 index 00000000000..5eb6dc93252 --- /dev/null +++ b/extra_stubs/docker/client.pyi @@ -0,0 +1,13 @@ +from typing import Any + +from .models.images import ImageCollection + +class DockerClient: + @classmethod + def from_env(cls, **kwargs: Any) -> DockerClient: ... + + @property + def images(self) -> ImageCollection: ... + + +from_env = DockerClient.from_env diff --git a/extra_stubs/docker/models/images.pyi b/extra_stubs/docker/models/images.pyi new file mode 100644 index 00000000000..e1b1cc51283 --- /dev/null +++ b/extra_stubs/docker/models/images.pyi @@ -0,0 +1,14 @@ +from typing import Any + + +class Image: + attrs: dict[str, Any] + @property + def id(self) -> str: ... # is actually defined in its parent class 'Model' + @property + def short_id(self) -> str: ... + + +class ImageCollection: + def get(self, name: str) -> Image: ... + def pull(self, repository: str, tag: str | None= ..., all_tags: bool = ..., **kwargs: Any) -> Image: ... diff --git a/integration_tests/prepare_data.sh b/integration_tests/prepare_data.sh index 6cd8c59ba4d..845536a768c 100755 --- a/integration_tests/prepare_data.sh +++ b/integration_tests/prepare_data.sh @@ -31,12 +31,12 @@ fi if [[ "$2" == "3.8" && "$1" == "ubuntu-latest" ]] then - pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt - pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt - pipenv run checkov -s -d terragoat/terraform/azure/ --skip-results-upload --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat_no_upload.txt + pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt + pipenv run checkov -s -d terragoat/terraform/azure/ --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt + pipenv run checkov -s -d terragoat/terraform/azure/ --repo-id checkov/integration_test --skip-results-upload --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat_no_upload.txt echo "running image referencing" - pipenv run checkov -s -d integration_tests/example_workflow_file/.github/workflows/ -o json --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_workflow_cve.json - pipenv run checkov -s -d integration_tests/example_workflow_file/bitbucket/ -o json --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_bitbucket_pipelines_cve.json + pipenv run checkov -s -d integration_tests/example_workflow_file/.github/workflows/ -o json --repo-id checkov/integration_test --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_workflow_cve.json + pipenv run checkov -s -d integration_tests/example_workflow_file/bitbucket/ -o json --repo-id checkov/integration_test --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_bitbucket_pipelines_cve.json echo "running list" pipenv run checkov --list --bc-api-key $BC_KEY --output-bc-ids > checkov_checks_list.txt echo "running tfc" diff --git a/integration_tests/run_integration_tests.sh b/integration_tests/run_integration_tests.sh index 2125e3f39f4..fe3b247d8d5 100755 --- a/integration_tests/run_integration_tests.sh +++ b/integration_tests/run_integration_tests.sh @@ -22,10 +22,10 @@ prepare_data () { python checkov/main.py -s --framework cloudformation -d repositories/cfngoat/ -o json --quiet > checkov_report_cfngoat_quiet.json python checkov/main.py -s -d repositories/terragoat/terraform/ --config-file integration_tests/example_config_files/config.yaml -o json > checkov_config_report_terragoat.json - python checkov/main.py -s -f repositories/terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt - python checkov/main.py -s -d repositories/terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt - python checkov/main.py -s -d integration_tests/example_workflow_file/.github/workflows/ -o json --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_workflow_cve.json - python checkov/main.py -s -d integration_tests/example_workflow_file/bitbucket/ -o json --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_bitbucket_pipelines_cve.json + python checkov/main.py -s -f repositories/terragoat/terraform/aws/s3.tf --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt + python checkov/main.py -s -d repositories/terragoat/terraform/azure/ --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt + python checkov/main.py -s -d integration_tests/example_workflow_file/.github/workflows/ -o json --repo-id checkov/integration_test --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_workflow_cve.json + python checkov/main.py -s -d integration_tests/example_workflow_file/bitbucket/ -o json --repo-id checkov/integration_test --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_bitbucket_pipelines_cve.json python checkov/main.py --list --bc-api-key $BC_KEY --output-bc-ids > checkov_checks_list.txt } diff --git a/integration_tests/test_checkov_cli_integration_report.py b/integration_tests/test_checkov_cli_integration_report.py index d594bae1ec3..36f92b3d0c6 100644 --- a/integration_tests/test_checkov_cli_integration_report.py +++ b/integration_tests/test_checkov_cli_integration_report.py @@ -21,7 +21,7 @@ def test_terragoat_report_file_api_key(self): self.validate_report(os.path.abspath(report_path)) def validate_report(self, report_path, url_should_exist=True): - if sys.version_info[1] == 7 and platform.system() == 'Linux': + if sys.version_info[1] == 8 and platform.system() == 'Linux': platform_url_found = False with open(report_path) as f: if 'More details: https://www.bridgecrew.cloud/projects?' in f.read(): @@ -30,7 +30,7 @@ def validate_report(self, report_path, url_should_exist=True): def test_workflow_report_api_key(self): report_path = os.path.join(current_dir, '..', 'checkov_report_workflow_cve.json') - if sys.version_info[1] == 7 and platform.system() == 'Linux': + if sys.version_info[1] == 8 and platform.system() == 'Linux': with open(report_path, encoding='utf-8') as f: reports = json.load(f) self.assertGreaterEqual(len(reports), 2, @@ -49,7 +49,7 @@ def test_workflow_report_api_key(self): def test_bitbucket_pipelines_report_api_key(self): report_path = os.path.join(current_dir, '..', 'checkov_report_bitbucket_pipelines_cve.json') - if sys.version_info[1] == 7 and platform.system() == 'Linux': + if sys.version_info[1] == 8 and platform.system() == 'Linux': with open(report_path, encoding='utf-8') as f: reports = json.load(f) self.assertGreaterEqual(len(reports), 2, diff --git a/integration_tests/test_checkov_ext_module_cloning.py b/integration_tests/test_checkov_ext_module_cloning.py index 981d86783a0..c3ef4be2ddb 100644 --- a/integration_tests/test_checkov_ext_module_cloning.py +++ b/integration_tests/test_checkov_ext_module_cloning.py @@ -10,7 +10,7 @@ class TestCheckovExtModuleCloning(unittest.TestCase): def test_private_github_modules_api_key(self): - if sys.version_info[1] == 7 and platform.system() == 'Linux' and False: + if sys.version_info[1] == 8 and platform.system() == 'Linux' and False: expected_private_github_path = os.path.join(ext_modules_path, "github.com", "ckv-tests") expected_private_github_modules = [os.path.join(expected_private_github_path, "terraform-aws-iam-s3-user-private"), os.path.join(expected_private_github_path, "terraform-aws-s3-bucket-private")] @@ -18,7 +18,7 @@ def test_private_github_modules_api_key(self): assert os.path.exists(m) def test_private_tfc_modules_api_key(self): - if sys.version_info[1] == 7 and platform.system() == 'Linux' and False: + if sys.version_info[1] == 8 and platform.system() == 'Linux' and False: expected_private_tfc_path = os.path.join(ext_modules_path, "app.terraform.io", "panw-bridgecrew") expected_private_tfc_modules = [ os.path.join(expected_private_tfc_path, "iam-s3-user", "aws", "0.15.7"), diff --git a/integration_tests/test_checkov_platform_only_policies.py b/integration_tests/test_checkov_platform_only_policies.py index 84eecea01c5..18f1d6b402a 100644 --- a/integration_tests/test_checkov_platform_only_policies.py +++ b/integration_tests/test_checkov_platform_only_policies.py @@ -13,7 +13,7 @@ class TestCheckovPlatformOnlyPolicies(unittest.TestCase): def test_no_ckv_ids_api_key(self): checks_list_path = current_dir.parent / 'checkov_checks_list.txt' - if sys.version_info[1] == 7 and platform.system() == 'Linux': + if sys.version_info[1] == 8 and platform.system() == 'Linux': with open(checks_list_path, encoding='utf-8') as f: for i, line in enumerate(f): if i in [0, 1]: diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 4611e282fe9..b83746a6bdf 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==3.0.14 +checkov==3.0.26 diff --git a/mypy.ini b/mypy.ini index ae4635cd329..bf3e64f4bd2 100644 --- a/mypy.ini +++ b/mypy.ini @@ -2,7 +2,7 @@ mypy_path = extra_stubs files = checkov -exclude = checkov/(arm/checks|cloudformation/checks|kubernetes/checks|serverless|terraform/checks) +exclude = checkov/(cloudformation/checks|serverless|terraform/checks) strict = True disallow_subclassing_any = False implicit_reexport = True @@ -11,9 +11,6 @@ show_error_codes = True [mypy-configargparse.*] ignore_missing_imports = True -[mypy-docker.*] -ignore_missing_imports = True - [mypy-dpath.*] ignore_missing_imports = True diff --git a/pyproject.toml b/pyproject.toml index 77b73ffb00f..57c8b9218ed 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,6 +8,7 @@ line-length = 120 [tool.importlinter] root_package = "checkov" +exclude_type_checking_imports = true [[tool.importlinter.contracts]] name = "common forbidden to import other modules" @@ -23,6 +24,7 @@ forbidden_modules = [ "checkov.bicep", "checkov.bitbucket", "checkov.bitbucket_pipelines", + "checkov.cdk", "checkov.circleci_pipelines", "checkov.cloudformation", "checkov.dockerfile", @@ -37,6 +39,7 @@ forbidden_modules = [ "checkov.kustomize", "checkov.openapi", "checkov.policies_3d", + "checkov.sast", "checkov.sca_image", "checkov.sca_package", "checkov.sca_package_2", @@ -49,11 +52,8 @@ forbidden_modules = [ ignore_imports = [ "checkov.common.util.json_utils -> checkov.terraform.modules.module_objects", # needed for JSON serialization - "checkov.common.bridgecrew.platform_integration -> checkov.secrets.coordinator", # type hint - "checkov.common.graph.graph_manager -> checkov.terraform.tf_parser", # type hint - "checkov.common.typing -> checkov.terraform.modules.module_objects", # type hint - "checkov.common.bridgecrew.integration_features.features.policies_3d_integration -> checkov.policies_3d.*", # considering what to do + "checkov.common.bridgecrew.integration_features.features.vulnerabilities_integration -> checkov.sast.report", # considering what to do "checkov.common.runners.base_post_runner -> checkov.policies_3d.checks_infra.base_check", # considering what to do "checkov.common.runners.runner_registry -> checkov.terraform.context_parsers.registry", # move runner_registry to a different place @@ -82,6 +82,16 @@ forbidden_modules = [ "checkov.kustomize", ] +[[tool.importlinter.contracts]] +name = "sast forbidden to import its children" +type = "forbidden" +source_modules = [ + "checkov.sast", +] +forbidden_modules = [ + "checkov.cdk", +] + [[tool.importlinter.contracts]] name = "terraform forbidden to import its children" type = "forbidden" diff --git a/tests/common/integration_features/test_vulnerabilities_integration.py b/tests/common/integration_features/test_vulnerabilities_integration.py index ec4baecc13d..c0553f10895 100644 --- a/tests/common/integration_features/test_vulnerabilities_integration.py +++ b/tests/common/integration_features/test_vulnerabilities_integration.py @@ -8,8 +8,9 @@ from checkov.common.bridgecrew.platform_integration import BcPlatformIntegration from checkov.common.output.record import Record, SCA_PACKAGE_SCAN_CHECK_NAME from checkov.common.output.report import Report -from checkov.sast.consts import SastLanguages +from checkov.common.sast.consts import SastLanguages from checkov.sast.report import SastReport +from checkov.sast.prisma_models.report import Package, File, Function class TestVulnerabilitiesIntegration(unittest.TestCase): @@ -193,6 +194,26 @@ def test_normalized_package_name_case_simple(self): result = vul_integration.normalize_package_name(original) self.assertTrue(result, expected) + def test_create_reachable_cves_by_package_map(self): + filtered_reachability_entries = [ + ('/index.js', File(packages={ + 'axios': Package(alias='ax', functions=[ + Function(name='trim', alias='hopa', line_number=4, code_block='hopa()', cve_id='cve-11') + ]), + 'lodash': Package(alias='', functions=[ + Function(name='template', alias='', line_number=1, code_block='template()', cve_id='cve-12'), + Function(name='toNumber', alias='', line_number=4, code_block='hopa()', cve_id='cve-13') + ]) + })) + ] + instance = BcPlatformIntegration() + vul_integration = VulnerabilitiesIntegration(instance) + reachable_data_by_package_map = vul_integration.create_reachable_cves_by_package_map(filtered_reachability_entries) + assert reachable_data_by_package_map == { + 'axios': {'cve-11'}, + 'lodash': {'cve-12', 'cve-13'} + } + if __name__ == '__main__': unittest.main() diff --git a/tests/common/output/test_cyclonedx_report.py b/tests/common/output/test_cyclonedx_report.py index aff2d51ecfe..dd54de44beb 100644 --- a/tests/common/output/test_cyclonedx_report.py +++ b/tests/common/output/test_cyclonedx_report.py @@ -197,6 +197,74 @@ def test_sca_packages_cyclonedx_bom(): assert record.file_line_range == [2, 6] assert output + +def test_duplicate_sca_packages_cyclonedx_bom(): + # given + rootless_file_path = "requirements.txt" + file_abs_path = "/path/to/requirements.txt" + check_class = "checkov.sca_package.scanner.Scanner" + vulnerability_details = { + "id": "CVE-2019-19844", + "status": "fixed in 3.0.1, 2.2.9, 1.11.27", + "cvss": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ...", + "severity": "moderate", + "packageName": "django", + "packageVersion": "1.2", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844", + "riskFactors": ["Attack complexity: low", "Attack vector: network", "Critical severity", "Has fix"], + "impactedVersions": ["<1.11.27"], + "publishedDate": "2019-12-18T20:15:00+01:00", + "discoveredDate": "2019-12-18T19:15:00Z", + "fixDate": "2019-12-18T20:15:00+01:00", + } + package_1 = { + "package_registry": "https://registry.npmjs.org/", + "is_private_registry": False, + "linesNumbers": [2, 3], + } + package_2 = { + "package_registry": "https://registry.npmjs.org/", + "is_private_registry": False, + "linesNumbers": [5, 6], + } + + record_1 = create_report_cve_record( + rootless_file_path=rootless_file_path, + file_abs_path=file_abs_path, + check_class=check_class, + vulnerability_details=vulnerability_details, + licenses="OSI_BDS", + package=package_1, + file_line_range=get_package_lines(package_1), + ) + record_2 = create_report_cve_record( + rootless_file_path=rootless_file_path, + file_abs_path=file_abs_path, + check_class=check_class, + vulnerability_details=vulnerability_details, + licenses="OSI_BDS", + package=package_2, + file_line_range=get_package_lines(package_2), + ) + + report = Report(CheckType.SCA_PACKAGE) + report.add_resource(record_1.resource) + report.add_record(record_1) + report.add_resource(record_2.resource) + report.add_record(record_2) + + # when + cyclonedx = CycloneDX([report], "repoid/test") + + # then + assert len(cyclonedx.bom.components) == 1 + + component = next(iter(cyclonedx.bom.components)) + assert component.bom_ref.value == "pkg:pypi/repoid/test/requirements.txt/django@1.2" + + def test_create_schema_version_1_3(mocker: MockerFixture): # given test_file = Path(__file__).parent / "fixtures/main.tf" diff --git a/tests/common/test_runner_filter.py b/tests/common/test_runner_filter.py index 448d7f03ddb..fb6fa0edc58 100644 --- a/tests/common/test_runner_filter.py +++ b/tests/common/test_runner_filter.py @@ -5,7 +5,7 @@ from checkov.common.bridgecrew.check_type import CheckType from checkov.common.bridgecrew.code_categories import CodeCategoryType, CodeCategoryConfiguration from checkov.common.bridgecrew.severities import Severities, BcSeverities, Severity -from checkov.sast.consts import SastLanguages +from checkov.common.sast.consts import SastLanguages from checkov.main import Checkov from checkov.runner_filter import RunnerFilter diff --git a/tests/github_actions/test_runner.py b/tests/github_actions/test_runner.py index d6678294e15..fe16fe7c5cf 100644 --- a/tests/github_actions/test_runner.py +++ b/tests/github_actions/test_runner.py @@ -229,7 +229,7 @@ def test_runner_on_build(self): assert report.failed_checks[0].triggers[0] == {'workflow_dispatch', 'push'} assert report.failed_checks[0].workflow_name == 'build' - assert report.passed_checks[6].job[0] == "publish-checkov-k8s-dockerhub" + assert report.passed_checks[6].job[0] == "publish-checkov-dockerhub" assert report.passed_checks[6].triggers[0] == {'workflow_dispatch', 'push'} assert report.passed_checks[6].workflow_name == 'build' diff --git a/tests/sast/test_report.py b/tests/sast/test_report.py new file mode 100644 index 00000000000..a89b0d25807 --- /dev/null +++ b/tests/sast/test_report.py @@ -0,0 +1,54 @@ +from __future__ import annotations + +from checkov.common.sast.consts import SastLanguages +from checkov.sast.report import SastData, SastReport +from checkov.sast.prisma_models.report import Function, Repositories, File, Package + + +def _create_sast_reports_for_test_get_sast_reachability_report_with_one_report() -> list[SastReport]: + # we don't care about the init's params, except for the sast-language + report1 = SastReport('', {}, SastLanguages.JAVASCRIPT) + report1.sast_reachability = { + 'repo_1': Repositories(files={ + '/index.js': File(packages={ + 'axios': Package(alias='ax', functions=[ + Function(name='trim', alias='hopa', line_number=4, code_block='hopa()', cve_id='cve-11') + ]), + 'lodash': Package(alias='', functions=[ + Function(name='template', alias='', line_number=1, code_block='template()', cve_id='cve-11'), + Function(name='toNumber', alias='', line_number=4, code_block='hopa()', cve_id='cve-11') + ]) + }), + '/main.js': File(packages={ + 'axios': Package(alias='ax', functions=[ + Function(name='trim', alias='hi', line_number=4, code_block='hi()', cve_id='cve-11') + ]) + }) + }) + } + return [report1] + + +def test_get_sast_reachability_report_with_one_report(): + scan_reports: list[SastReport] = _create_sast_reports_for_test_get_sast_reachability_report_with_one_report() + sast_reachability_report = SastData.get_sast_reachability_report(scan_reports) + assert sast_reachability_report == { + 'reachability': { + SastLanguages.JAVASCRIPT: { + '/index.js': File(packages={ + 'axios': Package(alias='ax', functions=[ + Function(name='trim', alias='hopa', line_number=4, code_block='hopa()', cve_id='cve-11') + ]), + 'lodash': Package(alias='', functions=[ + Function(name='template', alias='', line_number=1, code_block='template()', cve_id='cve-11'), + Function(name='toNumber', alias='', line_number=4, code_block='hopa()', cve_id='cve-11') + ]) + }), + '/main.js': File(packages={ + 'axios': Package(alias='ax', functions=[ + Function(name='trim', alias='hi', line_number=4, code_block='hi()', cve_id='cve-11') + ]) + }) + } + } + } \ No newline at end of file diff --git a/tests/sca_package_2/conftest.py b/tests/sca_package_2/conftest.py index b2895cd85c8..4605f149534 100644 --- a/tests/sca_package_2/conftest.py +++ b/tests/sca_package_2/conftest.py @@ -1537,18 +1537,20 @@ def get_vulnerabilities_details() -> List[Dict[str, Any]]: def get_vulnerabilities_details_is_used_packages() -> List[Dict[str, Any]]: return [ { - "id": "CVE-2019-19844", + "id": "CVE-FAKE-111", "status": "fixed in 3.0.1, 2.2.9, 1.11.27", "cvss": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ...", "severity": "critical", - "packageName": "django", - "packageVersion": "1.2", + "packageName": "package1", + "packageVersion": "1.1.1", "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844", "riskFactorsV2": { "Attack complexity": "low", "Attack vector": "network", + "IsUsed": False, + "ReachableFunction": False, }, "impactedVersions": ["<1.11.27"], "publishedDate": "2019-12-18T20:15:00+01:00", @@ -1556,19 +1558,62 @@ def get_vulnerabilities_details_is_used_packages() -> List[Dict[str, Any]]: "fixDate": "2019-12-18T20:15:00+01:00", }, { - "id": "CVE-2016-6186", + "id": "CVE-FAKE-222", "status": "fixed in 1.9.8, 1.8.14", "cvss": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "description": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function ...", "severity": "medium", - "packageName": "django", - "packageVersion": "1.2", + "packageName": "package2", + "packageVersion": "2.2.2", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186", + "riskFactorsV2": { + "Attack complexity": "low", + "Attack vector": "network", + "IsUsed": True, + "ReachableFunction": False, + }, + "impactedVersions": ["<=1.8.13"], + "publishedDate": "2016-08-05T17:59:00+02:00", + "discoveredDate": "2016-08-05T15:59:00Z", + "fixDate": "2016-08-05T17:59:00+02:00", + }, + { + "id": "CVE-FAKE-333", + "status": "fixed in 1.9.8, 1.8.14", + "cvss": 6.1, + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "description": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function ...", + "severity": "medium", + "packageName": "package3", + "packageVersion": "3.3.3", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186", + "riskFactorsV2": { + "Attack complexity": "low", + "Attack vector": "network", + "IsUsed": True, + "ReachableFunction": True, + }, + "impactedVersions": ["<=1.8.13"], + "publishedDate": "2016-08-05T17:59:00+02:00", + "discoveredDate": "2016-08-05T15:59:00Z", + "fixDate": "2016-08-05T17:59:00+02:00", + }, + { + "id": "CVE-FAKE-444", + "status": "fixed in 1.9.8, 1.8.14", + "cvss": 6.1, + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "description": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function ...", + "severity": "medium", + "packageName": "package4", + "packageVersion": "4.4.4", "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186", "riskFactorsV2": { "Attack complexity": "low", "Attack vector": "network", - "IsUsed": "True", + "IsUsed": False, + "ReachableFunction": True, }, "impactedVersions": ["<=1.8.13"], "publishedDate": "2016-08-05T17:59:00+02:00", diff --git a/tests/sca_package_2/outputs/cli_outputs/test_create_cli_table_for_package_with_reachability_data.txt b/tests/sca_package_2/outputs/cli_outputs/test_create_cli_table_for_package_with_reachability_data.txt new file mode 100644 index 00000000000..3b21c9fd204 --- /dev/null +++ b/tests/sca_package_2/outputs/cli_outputs/test_create_cli_table_for_package_with_reachability_data.txt @@ -0,0 +1,17 @@ + /requirements.txt - CVEs Summary: + ┌──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┐ + │ Total CVEs: 4 │ critical: 1 │ high: 0 │ medium: 3 │ low: 0 │ skipped: 0 │ Total Packages Used: │ + │ │ │ │ │ │ │ 3 │ + ├──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┤ + │ To fix 1/4 CVEs, go to https://www.bridgecrew.cloud/ │ + ├──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┤ + │ Package │ CVE ID │ Severity │ Current version │ Root fixed version │ Compliant version │ Reachability │ + ├──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┤ + │ package1 │ CVE-FAKE-111 │ CRITICAL │ 1.1.1 │ 1.11.27 │ 1.11.27 │ │ + ├──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┤ + │ package2 │ CVE-FAKE-222 │ MEDIUM │ 2.2.2 │ N/A │ N/A │ Package Used │ + ├──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┤ + │ package3 │ CVE-FAKE-333 │ MEDIUM │ 3.3.3 │ N/A │ N/A │ Reachable Function │ + ├──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┤ + │ package4 │ CVE-FAKE-444 │ MEDIUM │ 4.4.4 │ N/A │ N/A │ Reachable Function │ + └──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘ diff --git a/tests/sca_package_2/test_output.py b/tests/sca_package_2/test_output.py index d7d6835d493..b07db19ba0c 100644 --- a/tests/sca_package_2/test_output.py +++ b/tests/sca_package_2/test_output.py @@ -1,10 +1,11 @@ from __future__ import annotations +import os from packaging import version as packaging_version +from pathlib import Path from checkov.common.bridgecrew.severities import BcSeverities, Severities from checkov.common.models.enums import CheckResult, ScanDataFormat -from checkov.common.sca.commons import get_package_alias from checkov.common.sca.output import create_report_cve_record, create_report_license_record from checkov.runner_filter import RunnerFilter from checkov.sca_package_2.output import ( @@ -15,7 +16,9 @@ ) from tests.sca_package_2.conftest import get_vulnerabilities_details_package_json, get_vulnerabilities_details, \ get_vulnerabilities_details_no_deps, get_vulnerabilities_details_package_lock_json, \ - create_cli_license_violations_table_wrapper, create_cli_output_wrapper + create_cli_license_violations_table_wrapper, create_cli_output_wrapper, get_vulnerabilities_details_is_used_packages + +CLI_OUTPUTS_DIR = Path(__file__).parent / "outputs" / "cli_outputs" def test_create_report_cve_record(): @@ -847,3 +850,28 @@ def test_create_cli_table_for_package_with_diff_CVEs(): '\t│ └─ uglify-js │ CVE-2015-8858 │ HIGH │ 2.4.24 │ │ │ │\n', '\t│ │ PRISMA-2021-0169 │ MEDIUM │ │ │ │ │\n', '\t└──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘\n']) + + +def test_create_cli_table_for_package_with_reachability_data(): + # given + rootless_file_path = "requirements.txt" + file_abs_path = "/path/to/requirements.txt" + check_class = "checkov.sca_package_2.scanner.Scanner" + # when + cves_records = [ + create_report_cve_record( + rootless_file_path=rootless_file_path, + file_abs_path=file_abs_path, + check_class=check_class, + vulnerability_details=details, + licenses='Unknown', + package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False}, + root_package={'name': details["packageName"], 'version': details["packageVersion"]}, + used_private_registry=False + ) + for details in get_vulnerabilities_details_is_used_packages() + ] + cli_output = create_cli_output(True, cves_records) + with open(os.path.join(CLI_OUTPUTS_DIR, "test_create_cli_table_for_package_with_reachability_data.txt")) as f: + expected_cli_output = f.read() + assert expected_cli_output == cli_output diff --git a/tests/terraform/checks/resource/aws/example_MQBrokerVersion/main.tf b/tests/terraform/checks/resource/aws/example_MQBrokerVersion/main.tf index 37d918c1b70..8123bc90dea 100644 --- a/tests/terraform/checks/resource/aws/example_MQBrokerVersion/main.tf +++ b/tests/terraform/checks/resource/aws/example_MQBrokerVersion/main.tf @@ -35,7 +35,7 @@ resource "aws_mq_broker" "pass" { broker_name = "example" engine_type = "ActiveMQ" - engine_version = "5.16.0" + engine_version = "5.17.6" host_instance_type = "mq.t2.micro" publicly_accessible = true deployment_mode = "SINGLE_INSTANCE" @@ -52,7 +52,7 @@ resource "aws_mq_broker" "pass2" { broker_name = "example" engine_type = "RabbitMQ" - engine_version = "3.8.6" + engine_version = "3.11.20" host_instance_type = "mq.t2.micro" publicly_accessible = true deployment_mode = "SINGLE_INSTANCE" @@ -105,7 +105,7 @@ resource "aws_mq_configuration" "pass" { description = "Example Configuration" name = "example" engine_type = "ActiveMQ" - engine_version = "5.16.3" + engine_version = "5.17.6" data = < diff --git a/tests/terraform/checks/resource/azure/example_AKSOnlyCriticalPodsOnSystemNodes/main.tf b/tests/terraform/checks/resource/azure/example_AKSOnlyCriticalPodsOnSystemNodes/main.tf new file mode 100644 index 00000000000..f5732c8b9f4 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_AKSOnlyCriticalPodsOnSystemNodes/main.tf @@ -0,0 +1,37 @@ +resource "azurerm_kubernetes_cluster" "pass" { + name = "example" + + default_node_pool { + name = "defaultpool" + only_critical_addons_enabled = true + } +} + +resource "azurerm_kubernetes_cluster" "fail1" { + name = "example" + + default_node_pool { + name = "defaultpool" + } +} + +resource "azurerm_kubernetes_cluster" "fail2" { + name = "example" + + default_node_pool { + name = "defaultpool" + only_critical_addons_enabled = false + } +} + +resource "azurerm_kubernetes_cluster" "fail3" { + name = "example" + +} + +resource "azurerm_kubernetes_cluster" "fail4" { + name = "example" + only_critical_addons_enabled = true + +} + diff --git a/tests/terraform/checks/resource/azure/example_AppServiceEnvironmentZoneRedundant/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceEnvironmentZoneRedundant/main.tf new file mode 100644 index 00000000000..1cddb1d86b6 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_AppServiceEnvironmentZoneRedundant/main.tf @@ -0,0 +1,34 @@ +resource "azurerm_app_service_environment_v3" "pass" { + name = "example-asev3" + resource_group_name = azurerm_resource_group.example.name + subnet_id = azurerm_subnet.example.id + zone_redundant = true + + tags = { + env = "production" + terraformed = "true" + } +} + +resource "azurerm_app_service_environment_v3" "fail1" { + name = "example-asev3" + resource_group_name = azurerm_resource_group.example.name + subnet_id = azurerm_subnet.example.id + zone_redundant = false + + tags = { + env = "production" + terraformed = "true" + } +} + +resource "azurerm_app_service_environment_v3" "fail2" { + name = "example-asev3" + resource_group_name = azurerm_resource_group.example.name + subnet_id = azurerm_subnet.example.id + + tags = { + env = "production" + terraformed = "true" + } +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf index e981a4e2144..ffcbd1462e4 100644 --- a/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf +++ b/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf @@ -26,6 +26,23 @@ resource "azurerm_app_service_slot" "fail" { } +resource "azurerm_linux_web_app_slot" "fail" { + name = "fail-slot" + app_service_id = azurerm_linux_web_app.fail.id + https_only = false + + site_config {} +} + +resource "azurerm_windows_web_app_slot" "fail" { + name = "fail-slot" + app_service_id = azurerm_windows_web_app.fail.id + https_only = false + + site_config {} +} + + resource "azurerm_app_service_slot" "fail2" { name = random_id.server.hex app_service_name = azurerm_app_service.example.name @@ -77,3 +94,19 @@ resource "azurerm_app_service_slot" "pass" { value = "Server=some-server.mydomain.com;Integrated Security=SSPI" } } + +resource "azurerm_linux_web_app_slot" "pass" { + name = "pass-slot" + app_service_id = azurerm_linux_web_app.pass.id + https_only = true + + site_config {} +} + +resource "azurerm_windows_web_app_slot" "pass" { + name = "pass-slot" + app_service_id = azurerm_windows_web_app.pass.id + https_only = true + + site_config {} +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/example_RedisCacheStandardReplicationEnabled/main.tf b/tests/terraform/checks/resource/azure/example_RedisCacheStandardReplicationEnabled/main.tf new file mode 100644 index 00000000000..408408c0849 --- /dev/null +++ b/tests/terraform/checks/resource/azure/example_RedisCacheStandardReplicationEnabled/main.tf @@ -0,0 +1,41 @@ +resource "azurerm_redis_cache" "pass1" { + name = "example-cache" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 2 + family = "C" + sku_name = "Standard" + enable_non_ssl_port = false + minimum_tls_version = "1.2" + + redis_configuration { + } +} + +resource "azurerm_redis_cache" "pass2" { + name = "example-cache" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 2 + family = "C" + sku_name = "Premium" + enable_non_ssl_port = false + minimum_tls_version = "1.2" + + redis_configuration { + } +} + +resource "azurerm_redis_cache" "fail1" { + name = "example-cache" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 2 + family = "C" + sku_name = "Basic" + enable_non_ssl_port = false + minimum_tls_version = "1.2" + + redis_configuration { + } +} diff --git a/tests/terraform/checks/resource/azure/test_AKSOnlyCriticalPodsOnSystemNodes.py b/tests/terraform/checks/resource/azure/test_AKSOnlyCriticalPodsOnSystemNodes.py new file mode 100644 index 00000000000..8b311f4d20a --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AKSOnlyCriticalPodsOnSystemNodes.py @@ -0,0 +1,43 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.azure.AKSOnlyCriticalPodsOnSystemNodes import check + + +class TestAKSOnlyCriticalPodsOnSystemNodes(unittest.TestCase): + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_AKSOnlyCriticalPodsOnSystemNodes") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'azurerm_kubernetes_cluster.pass', + } + failing_resources = { + 'azurerm_kubernetes_cluster.fail1', + 'azurerm_kubernetes_cluster.fail2', + 'azurerm_kubernetes_cluster.fail3', + 'azurerm_kubernetes_cluster.fail4', + } + skipped_resources = {} + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/test_AppServiceEnvironmentZoneRedundant.py b/tests/terraform/checks/resource/azure/test_AppServiceEnvironmentZoneRedundant.py new file mode 100644 index 00000000000..235b75ffff5 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AppServiceEnvironmentZoneRedundant.py @@ -0,0 +1,42 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.azure.AppServiceEnvironmentZoneRedundant import check +from checkov.terraform.runner import Runner + + +class TestAppServiceEnvironmentZoneRedundant(unittest.TestCase): + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_AppServiceEnvironmentZoneRedundant" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "azurerm_app_service_environment_v3.pass", + } + failing_resources = { + "azurerm_app_service_environment_v3.fail1", + "azurerm_app_service_environment_v3.fail2", + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py b/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py index 7ffe4f37eb8..f627a7966f8 100644 --- a/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py +++ b/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py @@ -20,18 +20,23 @@ def test(self): passing_resources = { "azurerm_app_service_slot.pass", + "azurerm_linux_web_app_slot.pass", + "azurerm_windows_web_app_slot.pass", } failing_resources = { "azurerm_app_service_slot.fail", "azurerm_app_service_slot.fail2", + "azurerm_linux_web_app_slot.fail", + "azurerm_windows_web_app_slot.fail", } + skipped_resources = {} passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1) - self.assertEqual(summary["failed"], 2) - self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) diff --git a/tests/terraform/checks/resource/azure/test_RedisCacheStandardReplicationEnabled.py b/tests/terraform/checks/resource/azure/test_RedisCacheStandardReplicationEnabled.py new file mode 100644 index 00000000000..c447650f16f --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_RedisCacheStandardReplicationEnabled.py @@ -0,0 +1,42 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.runner import Runner +from checkov.terraform.checks.resource.azure.RedisCacheStandardReplicationEnabled import check + + +class TestRedisCacheStandardReplicationEnabled(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_RedisCacheStandardReplicationEnabled") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'azurerm_redis_cache.pass1', + 'azurerm_redis_cache.pass2' + } + failing_resources = { + 'azurerm_redis_cache.fail1' + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/terraform/checks/resource/gcp/example_BigQueryTableDeletionProtection/main.tf b/tests/terraform/checks/resource/gcp/example_BigQueryTableDeletionProtection/main.tf new file mode 100644 index 00000000000..f17cade3f8d --- /dev/null +++ b/tests/terraform/checks/resource/gcp/example_BigQueryTableDeletionProtection/main.tf @@ -0,0 +1,93 @@ +resource "google_bigquery_table" "fail" { + dataset_id = google_bigquery_dataset.default.dataset_id + table_id = "bar" + + time_partitioning { + type = "DAY" + } + + labels = { + env = "default" + } + + schema = <