| zypper clean' missing | high |
| Zone signing should not use RSA SHA1 | medium |
| yum clean all' missing | high |
| You should enable bucket access logging on the CloudTrail S3 bucket. | low |
| Workloads in the default namespace | low |
| WORKDIR should not be mounted on system dirs | high |
| WORKDIR path not absolute | high |
| When using Queue Services for a storage account, logging should be enabled. | medium |
| Web App uses the latest HTTP version | low |
| Web App uses latest TLS version | high |
| Web App has registration with AD enabled | low |
| Web App accepts incoming client certificate | low |
| VPC flow logs should be enabled for all subnetworks | low |
| VM disks should be encrypted with Customer Supplied Encryption Keys | low |
| Verify that the RotateKubeletServerCertificate argument is set to true | high |
| Verify that the --read-only-port argument is set to 0 | high |
| Users should not be granted service account access at the project level | medium |
| Users should not be granted service account access at the organization level | medium |
| Users should not be granted service account access at the folder level | medium |
| User with admin access | medium |
| User Pods should not be placed in kube-system namespace | medium |
| User data for EC2 instances must not contain sensitive AWS keys | critical |
| User data for EC2 instances must not contain sensitive AWS keys | critical |
| Use of plain HTTP. | critical |
| Use of plain HTTP. | critical |
| Unsafe sysctl options set | medium |
| Unencrypted SQS queue. | high |
| Unencrypted SNS topic. | high |
| Unencrypted S3 bucket. | high |
| Unencrypted data lake storage. | high |
| Trusted Microsoft Services should have bypass access to Storage accounts | high |
| Tiller Is Deployed | critical |
| There is no encryption specified or encryption is disabled on the RDS Cluster. | high |
| The S3 Bucket backing Cloudtrail should be private | critical |
| The router has common private network | low |
| The required contact details should be set for security center | low |
| The nas instance has common private network | low |
| The minimum TLS version for Storage Accounts should be TLS1_2 | critical |
| The load balancer forwarding rule is using an insecure protocol as an entrypoint | critical |
| The Kubernetes cluster does not enable surge upgrades | medium |
| The instance has common private network | low |
| The firewall has an outbound rule with open access | critical |
| The firewall has an inbound rule with open access | critical |
| The encryption key used to encrypt a compute disk has been specified in plaintext. | critical |
| The elb has common private network | low |
| The default action on Storage account network rules should be set to deny | critical |
| The db instance has common private network | low |
| Temporary file logging should be enabled for all temporary files. | medium |
| Task definition defines sensitive environment variable(s). | critical |
| system:authenticate group access binding | critical |
| system:authenticate group access binding | critical |
| SYS_MODULE capability added | high |
| SYS_ADMIN capability added | high |
| Synapse Workspace should have managed virtual network enabled, the default is disabled. | medium |
| Storage containers in blob storage mode should not have public access | high |
| Storage accounts should be configured to only accept transfers that are over secure connections | high |
| Stackdriver Monitoring should be enabled | low |
| Stackdriver Logging should be enabled | low |
| SSL should be enforced on database connections where applicable | medium |
| SSL policies should enforce secure versions of TLS | critical |
| SSL connections to a SQL database instance should be enforced. | high |
| SSH Keys are the preferred way to connect to your droplet, no keys are supplied | high |
| SSH access should not be accessible from the Internet, should be blocked on port 22 | critical |
| SQS queue should be encrypted with a CMK. | high |
| Specific capabilities added | medium |
| Spaces buckets should have versioning enabled | medium |
| Spaces bucket or bucket object has public read acl set | critical |
| SNS topic not encrypted with CMK. | high |
| Shielded GKE nodes not enabled. | high |
| Service with External IP | high |
| Service accounts should not have roles assigned with excessive privileges | high |
| Send notification emails for high severity alerts | medium |
| SELinux custom options set | medium |
| Selector usage in network policies | medium |
| Security threat alerts go to subcription owners and co-administrators | low |
| Secrets should not be exfiltrated using Terraform HTTP data blocks | critical |
| Secrets Manager should use customer managed keys | low |
| Seccomp policies disabled | medium |
| SAM State machine must have X-Ray tracing enabled | low |
| SAM State machine must have logging enabled | low |
| SAM Simple table must have server side encryption enabled. | high |
| SAM HTTP API stages for V1 and V2 should have access logging enabled | medium |
| SAM Function must have X-Ray tracing enabled | low |
| SAM API stages for V1 and V2 should have access logging enabled | medium |
| SAM API must have X-Ray tracing enabled | low |
| SAM API must have data cache enabled | medium |
| SAM API domain name uses outdated SSL/TLS protocols. | high |
| S3 encryption should use Customer Managed Keys | high |
| S3 DNS Compliant Bucket Names | medium |
| S3 Data should be versioned | medium |
| S3 buckets should each define an aws_s3_bucket_public_access_block | low |
| S3 Buckets not publicly accessible through ACL. | high |
| S3 Bucket Logging | low |
| S3 Access block should restrict public bucket to limit access | high |
| S3 Access Block should Ignore Public Acl | high |
| S3 Access block should block public policy | high |
| S3 Access block should block public ACL | high |
| Runtime/Default Seccomp profile not set | low |
| Runtime/Default AppArmor profile not set | low |
| Runs with UID <= 10000 | low |
| Runs with GID <= 10000 | low |
| Runs with a root primary or supplementary GID | low |
| Runs as root user | medium |
| RUN using 'wget' and 'curl | low |
| RUN using 'sudo | critical |
| RUN cd ...' to change directory | medium |
| RUN <package-manager> update' instruction alone | high |
| Root file system is not read-only | high |
| Root and user volumes on Workspaces should be encrypted | high |
| Roles should not be assigned to default service accounts | medium |
| Roles should not be assigned to default service accounts | medium |
| Roles should not be assigned to default service accounts | medium |
| Roles limited to the required actions | medium |
| Retention policy for flow logs should be enabled and set to greater than 90 days | low |
| resource quota usage | low |
| Require Vpc Flow Logs For All Vpcs | medium |
| Require Cmk Disabled Alarm | low |
| Redshift clusters should use at rest encryption | high |
| Redshift cluster should be deployed into a specific VPC | high |
| Redis cluster should have backup retention turned on | medium |
| RDS Publicly Accessible | high |
| RDS IAM Database Authentication Disabled | medium |
| RDS encryption has not been enabled at a DB Instance level. | high |
| RDS Deletion Protection Disabled | medium |
| RDS Cluster Deletion Protection Disabled | medium |
| RDS Cluster and RDS instance should have backup retention longer than default 1 day | medium |
| RDP access should not be accessible from the Internet, should be blocked on port 3389 | critical |
| RDB instance should have backup retention longer than 1 day | medium |
| Public ingress should not be allowed via network policies | high |
| Public egress should not be allowed via network policies | high |
| Protecting Pod service account tokens | medium |
| Privileged | high |
| Prevent binding to privileged ports | high |
| Port 22 exposed | medium |
| Point in time recovery should be enabled to protect DynamoDB table | medium |
| Performance Insights encryption should use Customer Managed Keys | low |
| Password authentication should be disabled on Azure virtual machines | high |
| OS Login should be enabled at project level | medium |
| Non-default /proc masks set | medium |
| Non-core volume types used. | low |
| Node metadata value disables metadata concealment. | high |
| No wildcard verb roles | critical |
| No wildcard verb and resource roles | critical |
| No user should have more than one active access key. | low |
| No unauthorized access to API Gateway methods | low |
| No threat detections are set | medium |
| No State Machine Policy Wildcards | high |
| No sensitive data stored in user_data | high |
| No Root Access Keys | critical |
| No plaintext password for compute instance | medium |
| No HEALTHCHECK defined | low |
| Network Policy should be enabled on GKE clusters | medium |
| NET_RAW capability added | high |
| Neptune storage must be encrypted at rest | high |
| Neptune logs export should be enabled | medium |
| Neptune encryption should use Customer Managed Keys | high |
| Multiple HEALTHCHECK defined | medium |
| Multiple ENTRYPOINT instructions listed | critical |
| Multiple CMD instructions listed | high |
| MQ Broker should have general logging enabled | low |
| MQ Broker should have audit logging enabled | medium |
| Missing security group for vpnGateway. | critical |
| Missing security group for router. | critical |
| Missing security group for instance. | critical |
| Missing IAM Role to allow authorized users to manage incidents with AWS Support. | low |
| Missing description for security group/security group rule. | low |
| Missing description for security group/security group rule. | low |
| Missing description for security group. | low |
| Missing description for security group. | medium |
| Missing description for security group. | low |
| Missing description for security group rule. | low |
| Missing description for security group rule. | low |
| Missing description for nas security group. | low |
| Missing description for db security group. | low |
| microdnf clean all' missing | high |
| Memory requests not specified | low |
| Memory not limited | low |
| Master authorized networks should be configured on GKE clusters | high |
| Manages /etc/hosts | low |
| Manage webhookconfigurations | critical |
| Manage secrets | critical |
| Manage namespace secrets | medium |
| Manage Kubernetes workloads and pods | medium |
| Manage Kubernetes RBAC resources | critical |
| Manage Kubernetes networking | high |
| Manage EKS IAM Auth ConfigMap | critical |
| Manage configmaps | medium |
| Manage all resources at the namespace | critical |
| Manage all resources | critical |
| Load balancers should drop invalid headers | high |
| Load balancer is exposed to the internet. | high |
| Limit Root Account Usage | low |
| limit range usage | low |
| Legacy metadata endpoints enabled. | high |
| Legacy client authentication methods utilized. | high |
| Legacy ABAC permissions are enabled. | high |
| Launch configuration with unencrypted block device. | high |
| Launch configuration should not have a public IP address. | high |
| Lambda functions should have X-Ray tracing enabled | low |
| Kubernetes should have 'Automatic upgrade' enabled | low |
| Kubernetes should have 'Automatic repair' enabled | low |
| Kubernetes resource with disallowed volumes mounted | high |
| Kubernetes Auto Upgrades Not Enabled | critical |
| KMS keys should be rotated at least every 90 days | high |
| Kinesis stream is unencrypted. | high |
| Key vault should have the network acl block specified | critical |
| Key vault should have purge protection enabled | medium |
| Key Vault Secret should have an expiration date set | low |
| Key vault Secret should have a content type set | low |
| Key Management Errors | low |
| Instances should not use the default service account | critical |
| Instances should not override the project setting for OS Login | medium |
| Instances should not have public IP addresses | high |
| Instances should not have IP forwarding enabled | high |
| Instances should have Shielded VM VTPM enabled | medium |
| Instances should have Shielded VM secure boot enabled | medium |
| Instances should have Shielded VM integrity monitoring enabled | medium |
| Instances in a subnet should not receive a public IP address by default. | high |
| Instance with unencrypted block device. | high |
| Inadequate Encryption Strength | medium |
| Inadequate Encryption Strength | high |
| Inadequate Encryption Strength | low |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') | high |
| Image user should not be 'root | high |
| Image tag \":latest\" used | medium |
| If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive | high |
| if proxy kubeconfig file exists ensure ownership is set to root:root | high |
| IAM Users should have MFA enforcement activated. | medium |
| IAM policy should avoid use of wildcards and instead apply the principle of least privilege | high |
| IAM policies should not be granted directly to users. | low |
| IAM Password policy should prevent password reuse. | medium |
| IAM Password policy should have requirement for at least one uppercase character. | medium |
| IAM Password policy should have requirement for at least one symbol in the password. | medium |
| IAM Password policy should have requirement for at least one number in the password. | medium |
| IAM Password policy should have requirement for at least one lowercase character. | medium |
| IAM Password policy should have minimum password length of 14 or more characters. | medium |
| IAM Password policy should have expiry less than or equal to 90 days. | medium |
| IAM Pass Role Filtering | medium |
| IAM groups should have MFA enforcement activated. | medium |
| IAM granted directly to user. | medium |
| hostPath volumes mounted | medium |
| hostPath volume mounted with docker.sock | high |
| GKE Control Plane should not be publicly accessible | high |
| GitHub repository shouldn't be public. | critical |
| GitHub repository has vulnerability alerts disabled. | high |
| GitHub branch protection does not require signed commits. | high |
| Function policies should avoid use of wildcards and instead apply the principle of least privilege | high |
| Force destroy is enabled on Spaces bucket which is dangerous | medium |
| Exposed port out of range | critical |
| Exec into Pods | high |
| Ensure the Function App can only be accessed via HTTPS. The default is false. | critical |
| Ensure the activity retention log is set to at least a year | medium |
| Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive | high |
| Ensure that the scheduler pod specification file ownership is set to root:root | high |
| Ensure that the scheduler config file permissions are set to 600 or more restrictive | high |
| Ensure that the scheduler config file ownership is set to root:root | high |
| Ensure that the RotateKubeletServerCertificate argument is set to true | low |
| Ensure that the Kubernetes PKI key file permission is set to 600 | critical |
| Ensure that the Kubernetes PKI directory and file file ownership is set to root:root | critical |
| Ensure that the Kubernetes PKI certificate file permission is set to 600 | high |
| Ensure that the kubelet service file permissions are set to 600 or more restrictive | high |
| Ensure that the kubelet service file ownership is set to root:root | critical |
| Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | critical |
| Ensure that the expiration date is set on all keys | medium |
| Ensure that the etcd pod specification file permissions are set to 600 or more restrictive | high |
| Ensure that the etcd pod specification file ownership is set to root:root | high |
| Ensure that the etcd data directory permissions are set to 700 or more restrictive | low |
| Ensure that the etcd data directory ownership is set to etcd:etcd | low |
| Ensure that the controller-manager config file permissions are set to 600 or more restrictive | high |
| Ensure that the controller-manager config file ownership is set to root:root | high |
| Ensure that the controller manager pod specification file ownership is set to root:root | high |
| Ensure that the container network interface file permissions are set to 600 or more restrictive | high |
| Ensure that the container network interface file ownership is set to root:root | high |
| Ensure that the client certificate authorities file ownership is set to root:root | critical |
| Ensure that the certificate authorities file permissions are set to 600 or more restrictive | critical |
| Ensure that the API server pod specification file permissions are set to 600 or more restrictive | high |
| Ensure that the API server pod specification file ownership is set to root:root | high |
| Ensure that the admission control plugin ServiceAccount is set | low |
| Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | low |
| Ensure that the admission control plugin NodeRestriction is set | low |
| Ensure that the admission control plugin NamespaceLifecycle is set | low |
| Ensure that the admission control plugin EventRateLimit is set | low |
| Ensure that the admission control plugin AlwaysPullImages is set | low |
| Ensure that the admission control plugin AlwaysAdmit is not set | low |
| Ensure that the admin config file permissions are set to 600 or more restrictive | critical |
| Ensure that the admin config file ownership is set to root:root | critical |
| Ensure that the --use-service-account-credentials argument is set to true | low |
| Ensure that the --token-auth-file parameter is not set | low |
| Ensure that the --tls-key-file argument are set as appropriate | critical |
| Ensure that the --tls-cert-file argument are set as appropriate | critical |
| Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | low |
| Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | low |
| Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | high |
| Ensure that the --service-account-private-key-file argument is set as appropriate | low |
| Ensure that the --service-account-lookup argument is set to true | low |
| Ensure that the --service-account-key-file argument is set as appropriate | low |
| Ensure that the --secure-port argument is not set to 0 | low |
| Ensure that the --rotate-certificates argument is not set to false | high |
| Ensure that the --root-ca-file argument is set as appropriate | low |
| Ensure that the --protect-kernel-defaults is set to true | high |
| Ensure that the --profiling argument is set to false | low |
| Ensure that the --profiling argument is set to false | low |
| Ensure that the --profiling argument is set to false | low |
| Ensure that the --peer-client-cert-auth argument is set to true | low |
| Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | low |
| Ensure that the --peer-auto-tls argument is not set to true | low |
| Ensure that the --make-iptables-util-chains argument is set to true | high |
| Ensure that the --kubelet-https argument is set to true | low |
| Ensure that the --kubelet-certificate-authority argument is set as appropriate | low |
| Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive | high |
| Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root | high |
| Ensure that the --hostname-override argument is not set | high |
| Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | high |
| Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | low |
| Ensure that the --etcd-cafile argument is set as appropriate | low |
| Ensure that the --encryption-provider-config argument is set as appropriate | low |
| Ensure that the --DenyServiceExternalIPs is not set | low |
| Ensure that the --client-cert-auth argument is set to true | low |
| Ensure that the --client-ca-file argument is set as appropriate | critical |
| Ensure that the --client-ca-file argument is set as appropriate | low |
| Ensure that the --cert-file and --key-file arguments are set as appropriate | low |
| Ensure that the --bind-address argument is set to 127.0.0.1 | low |
| Ensure that the --bind-address argument is set to 127.0.0.1 | low |
| Ensure that the --auto-tls argument is not set to true | low |
| Ensure that the --authorization-mode argument is not set to AlwaysAllow | low |
| Ensure that the --authorization-mode argument is not set to AlwaysAllow | high |
| Ensure that the --authorization-mode argument includes RBAC | low |
| Ensure that the --authorization-mode argument includes Node | low |
| Ensure that the --audit-log-path argument is set | low |
| Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | low |
| Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | low |
| Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | low |
| Ensure that the --anonymous-auth argument is set to false | critical |
| Ensure that the --anonymous-auth argument is set to false | medium |
| Ensure that response caching is enabled for your Amazon API Gateway REST APIs. | low |
| Ensure that Postgres errors are logged | low |
| Ensure that no sensitive credentials are exposed in VM custom_data | medium |
| Ensure that logging of long statements is disabled. | low |
| Ensure that logging of lock waits is enabled. | medium |
| Ensure that logging of disconnections is enabled. | medium |
| Ensure that logging of connections is enabled. | medium |
| Ensure that logging of checkpoints is enabled. | medium |
| Ensure that lambda function permission has a source arn specified | critical |
| Ensure that Cloud Storage buckets have uniform bucket-level access enabled | medium |
| Ensure that Cloud Storage bucket is not anonymously or publicly accessible. | high |
| Ensure that Cloud SQL Database Instances are not publicly exposed | high |
| Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | medium |
| Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | medium |
| Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | medium |
| Ensure RBAC is enabled on AKS clusters | high |
| Ensure plaintext value is not used for GitHub Action Environment Secret. | high |
| Ensure MSK Cluster logging is enabled | medium |
| Ensure MQ Broker is not publicly exposed | high |
| Ensure log profile captures all activities | medium |
| Ensure Kubelet Config.Yaml Permissions 600 Or More Restrictive. | high |
| Ensure Kubelet Client Certificate And Kubelet Client Key Are Set | low |
| Ensure Kubeconfig Kubelet Config.Yaml Ownership Set Root:Root | high |
| Ensure databases are not publicly accessible | medium |
| Ensure database firewalls do not permit public access | high |
| Ensure Controller Manager Pod Specification File Permissions Set 600 Or More Restrictive | high |
| Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | low |
| Ensure all data stored in the launch configuration EBS is securely encrypted | high |
| Ensure AKS logging to Azure Monitoring is Configured | medium |
| Ensure AKS has an API Server Authorized IP Ranges enabled | critical |
| Ensure AKS cluster has Network Policy configured | high |
| Ensure activitys are captured for all locations | medium |
| Ensure a log metric filter and alarm exist for VPC changes | low |
| Ensure a log metric filter and alarm exist for usage of root user | low |
| Ensure a log metric filter and alarm exist for unauthorized API calls | low |
| Ensure a log metric filter and alarm exist for security group changes | low |
| Ensure a log metric filter and alarm exist for S3 bucket policy changes | low |
| Ensure a log metric filter and alarm exist for route table changes | low |
| Ensure a log metric filter and alarm exist for organisation changes | low |
| Ensure a log metric filter and alarm exist for IAM policy changes | low |
| Ensure a log metric filter and alarm exist for CloudTrail configuration changes | low |
| Ensure a log metric filter and alarm exist for changes to network gateways | low |
| Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | low |
| Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA | low |
| Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | low |
| Ensure a log metric filter and alarm exist for AWS Config configuration changes | low |
| Enforce Root Mfa | critical |
| Enforce Root Hardware Mfa | medium |
| Enable the standard security center subscription tier | low |
| Enable Performance Insights to detect potential problems | low |
| Enable Object Write Logging | low |
| Enable Object Read Logging | low |
| Enable local-disk encryption for EMR clusters. | high |
| Enable in-transit encryption for EMR clusters. | high |
| Enable IAM Access analyzer for IAM policies about all resources in each region. | low |
| Enable disk encryption on managed disk | high |
| Enable automated backups to recover from data-loss | medium |
| Enable at-rest encryption for EMR clusters. | high |
| Enable At Rest Encryption | high |
| Enable All Regions | medium |
| Elasticsearch domain uses plaintext traffic for node to node communication. | high |
| Elasticsearch domain isn't encrypted at rest. | high |
| Elasticsearch domain endpoint is using outdated TLS policy. | high |
| Elasticsearch doesn't enforce HTTPS traffic. | critical |
| Elasticache Replication Group uses unencrypted traffic. | high |
| Elasticache Replication Group stores unencrypted data at-rest. | high |
| EKS should have the encryption of secrets enabled | high |
| EKS Clusters should have the public access disabled | critical |
| EKS Clusters should have cluster control plane logging turned on | medium |
| EKS cluster should not have open CIDR range for public access | critical |
| EFS Encryption has not been enabled | high |
| ECS Task Definitions with EFS volumes should use in-transit encryption | high |
| ECS clusters should have container insights enabled | low |
| ECR Repository should use customer managed keys to allow more control | low |
| ECR repository policy must block public access | high |
| ECR repository has image scans disabled. | high |
| ECR images tags shouldn't be mutable. | high |
| EBS volumes must be encrypted | high |
| EBS volume encryption should use Customer Managed Keys | low |
| DynamoDB tables should use at rest encryption with a Customer Managed Key | low |
| Duplicate aliases defined in different FROMs | critical |
| Domain logging should be enabled for Elastic Search domains | medium |
| DocumentDB storage must be encrypted | high |
| DocumentDB logs export should be enabled | medium |
| DocumentDB encryption should use Customer Managed Keys | low |
| Do not allow users in a rolebinding to add other users to their rolebindings | low |
| Do not allow role to create ClusterRoleBindings and association with privileged role | high |
| Do not allow role binding creation and association with privileged role/clusterrole | high |
| Do not allow privilege escalation from node proxy | high |
| Do not allow impersonation of privileged groups | critical |
| Do not allow attaching to shell on pods | high |
| dnf clean all' missing | high |
| Disks should be encrypted with customer managed encryption keys | low |
| Disable Unused Credentials 45 Days | low |
| Disable serial port connectivity for all instances | medium |
| Disable project-wide SSH keys for all instances | medium |
| Disable local_infile setting in MySQL | high |
| Deprecated MAINTAINER used | high |
| Delete verified record | critical |
| Delete pod logs | medium |
| Delete expired TLS certificates | low |
| Delete expired SSL certificates | low |
| Default security group should restrict all traffic | low |
| Default security context configured | high |
| Default network should not be created at project level | high |
| Default capabilities: some containers do not drop any | low |
| Default capabilities: some containers do not drop all | low |
| DAX Cluster should always encrypt data at rest | high |
| Databases should have the minimum TLS set for connections | medium |
| Database auditing rentention period should be longer than 90 days | medium |
| Data Factory should have public access disabled, the default is enabled. | critical |
| Cross-database ownership chaining should be disabled | medium |
| Credentials which are no longer used should be disabled. | medium |
| CPU requests not specified | low |
| CPU not limited | low |
| COPY with more than two arguments not ending with slash | critical |
| COPY '--from' referring to the current image | critical |
| Containers must not set runAsUser to 0 | low |
| Container images from public registries used | medium |
| Container capabilities must only include NET_BIND_SERVICE | low |
| Contained database authentication should be disabled | medium |
| ConfigMap with sensitive content | medium |
| ConfigMap with secrets | high |
| Config configuration aggregator should be using all regions for source | high |
| Compute instance requests an IP reservation from a public pool | critical |
| CodeBuild Project artifacts encryption should not be disabled | high |
| Clusters should have IP aliasing enabled | low |
| Clusters should be set to private | medium |
| Clusters should be configured with Labels | low |
| CloudWatch log groups should be encrypted using CMK | low |
| CloudTrail should use Customer managed keys to encrypt the logs | high |
| CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs | low |
| Cloudtrail log validation should be enabled to prevent tampering of log data | high |
| CloudFront distribution uses outdated SSL/TLS protocols. | high |
| Cloudfront distribution should have Access Logging configured | medium |
| CloudFront distribution does not have a WAF in front. | high |
| CloudFront distribution allows unencrypted (HTTP) communications. | critical |
| Cloud Storage buckets should be encrypted with a customer-managed key. | low |
| Cloud DNS should use DNSSEC | medium |
| Checks for service account defined for GKE nodes | medium |
| Can elevate its own privileges | medium |
| Buckets should have MFA deletion protection enabled. | low |
| BigQuery datasets should only be accessible within the organisation | critical |
| aws_instance should activate session tokens for Instance Metadata Service. | high |
| aws_instance should activate session tokens for Instance Metadata Service. | high |
| AWS SQS policy document has wildcard action statement. | high |
| AWS Classic resource usage. | critical |
| AWS Classic resource usage. | critical |
| AWS best practice to not use the default VPC for workflows | high |
| Auditing should be enabled on Azure SQL Databases | medium |
| Athena workgroups should enforce configuration to prevent client disabling encryption | high |
| At least one email address is set for threat alerts | medium |
| apt-get' missing '-y' to avoid manual input | high |
| apt-get' missing '--no-install-recommends | high |
| apt-get dist-upgrade' used | high |
| App Service authentication is activated | medium |
| apk add' is missing '--no-cache | high |
| API Gateway stages for V1 and V2 should have access logging enabled | medium |
| API Gateway must have X-Ray tracing enabled | low |
| API Gateway must have cache enabled | medium |
| API Gateway domain name uses outdated SSL/TLS protocols. | high |
| Anonymous user access binding | critical |
| An outdated SSL policy is in use by a load balancer. | critical |
| An outdated SSL policy is in use by a load balancer. | critical |
| An outbound network security rule allows traffic to /0. | critical |
| An outbound firewall rule allows traffic to /0. | critical |
| An Network ACL rule allows ALL ports. | critical |
| An ingress security group rule allows traffic from /0. | critical |
| An ingress security group rule allows traffic from /0. | critical |
| An ingress Network ACL rule allows specific ports from /0. | critical |
| An ingress nas security group rule allows traffic from /0. | critical |
| An ingress db security group rule allows traffic from /0. | critical |
| An inbound network security rule allows traffic from /0. | critical |
| An inbound firewall rule allows traffic from /0. | critical |
| An egress security group rule allows traffic to /0. | critical |
| All container images must start with the *.azurecr.io domain | medium |
| All container images must start with an ECR domain | medium |
| All container images must start with a GCR domain | medium |
| ADD instead of COPY | low |
| Access to host process | medium |
| Access to host ports | high |
| Access to host PID | high |
| Access to host network | high |
| Access to host IPC namespace | high |
| Access keys should be rotated at least every 90 days | low |
| A security group rule allows ingress traffic from multiple public addresses | medium |
| A security group rule allows egress traffic to multiple public addresses | medium |
| A MSK cluster allows unencrypted data in transit. | high |
| A MSK cluster allows unencrypted data at rest. | high |
| A KMS key is not configured to auto-rotate. | medium |
| A firewall rule allows traffic from/to the public internet | medium |
| A database resource is marked as publicly accessible. | critical |
| A configuration for an external workload identity pool provider should have conditions set | high |
| :latest' tag used | medium |