Findings Type Coverage

The following is an approximate list of vulnerability, insight, and secret types, as well as the CWE and OWASP categories, that ShiftLeft CORE's NG SAST is capable of finding. We also list the finding types available for those submitting JavaScript applications or Terraform projects to NG SAST.

This list is subject to change as our security team identifies additional finding types.

Please note that the vulnerability/category names that NG SAST uses may vary, especially with regards to open-source vulnerabilities. ShiftLeft does not normalize names and does not control the source of the vulnerability database.

Vulnerabilities

  • Authentication Bypass: Control of the authentication token by an attacker; the input is never checked, so the attacker can serialize their own authentication token and set their user role to admin.
  • Cookie Injection: The attacker could inject cookies not set for their session to impersonate other sessions/users
  • Cross-Site Scripting (XSS): The execution of malicious scripts in the victim's browser
  • Crypto: Weak encryption
  • Crypto AES with ECB: Use of ECB mode (instead of CBC mode) in AES encryption
  • Deserialization: Deserialization of user-controlled data (or other potentially unsafe data) that could lead to injection attacks
  • Directory Traversal: Possible access to files/directories outside of the root folder
  • Eval: Use of the eval() function, which executes a string as code
  • File Write: Application functionality allows attackers to write data to an arbitrary file
  • Hard-Coded Password: Application code includes a hard-coded password
  • Header Injection: User-provided data is used in an HTTP response header
  • Improper Certificate Validation: Application doesn't validate a certificate or validates it incorrectly
  • Insecure Cookie: Application does not designate authentication cookies as secure
  • Insecure JWT Algorithm: Unsafe parsing of the JWT token
  • Insecure Puppeteer Settings: Insecure settings when using Puppeteer
  • Insecure TLS Configuration: Insecure TLS Configuration due to missing minimum TLS version
  • JWT Exposed Creds: The object is passed strictly to JWT.sign/verify(...) and could possibly expose sensitive information via the JWT token payload
  • JWT Unsafe Parsing: Unsafe parsing of JWT token (e.g., use of alg:none)
  • LDAP Injection: End user-controlled data is used in an LDAP query without escaping or validation
  • Mail Injection: Use of HTTP data in emails
  • Mass Assignment: HTTP request parameters are bound to program variables
  • Missing Certificate Check: Invalid certificate validation; the certificate validation is always returning true
  • NoSQL Injection: End-user controlled data to NoSQL database
  • Open Redirect: App incorporates a request parameter into a URL redirect without validation
  • OSS Express Body Parser: POST Request to Express' bodyParser() can create temporary files and consume space
  • Path Traversal: Path constructed with user input can result in Path Traversal
  • Prototype Pollution: User-controlled object leading to RCE or XSS
  • Remote Code Execution: End-user is able to execute commands on the host
  • Sensitive Data Exposure: App configures the exposure of sensitive data (e.g., printing executed queries via stdout)
  • Sensitive Data Leak: Sensitive data, including file name or content, leaked during data flow
  • Session Injection: Users could modify existing session data
  • SQL Injection: End-user controlled data to SQL database
  • SSRF: App allows user to induce HTTP requests from the server-side to arbitrary domains
  • TLS Checks are Disabled: TLS certificates used in establishing connections aren't validated; user traffic could be intercepted and tampered with
  • Trust Boundary Violation: A trust boundary divides trusted data from untrusted data; a violation occurs when the line between the two is blurred
  • Unvalidated Input Used in Cookie: User data/input that hasn't been validated is used in an HTTP cookie
  • Usage of Insecure API: Application uses insecure API, increasing likelihood of security issues
  • Weak Encryption: Trivial methods are used to encode passwords, leaving passwords unprotected
  • Weak Hash: Use of weak hashing algorithms (e.g., MD5) on sensitive data like passwords
  • Weak Random: The application uses the weak random number generator crypto.pseudoRandomBytes()/Math.random()
  • XML External Entity: Application's allowance of user-controlled data to XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities
  • XML Injection/XXE (External Entity) Injection: User-control data is written to application XML without validation/sanitization
  • XPath Injection: User-controlled data used in XPath query

Insights/Security-Sensitive Functions

  • Application Related: Implementation leading to security vulnerability (e.g., disable SSL certification verification, using a weak hashing function)
  • Command Injection: Use of unvalidated user-input, which could potentially lead to injection vulnerabilities
  • CRYPTO: Use of weak cryptographic functions
  • Directory Traversal: Use of untrusted user input in select methods could result in directory traversal attacks
  • Exfiltration: User-induced response containing data that should not have been exposed
  • HTTP Header Injection: Untrusted user input possibly resulting in HTTP Header Injection or Splitting Attacks
  • IDOR: The possibility that an attacker can guess a generated value based on a previously generated value; this information could then be used for impersonation or to access sensitive information
  • Information Leakage: Storage or transmission of sensitive information using functionality that could be exploited by malicious parties
  • Open Redirect: Use of untrusted user input possibly resulting in an open redirect vulnerability
  • REDOS: Potential use of regex leading to ReDoS (use the safe-regex module to determine if regex is evil or not)
  • Remote Code Injection: Use of user-controlled data that could result in injection vulnerabilities or remote code execution
  • SQL Injection: Unsanitized user-provided data could be injected into SQL databases
  • Untrusted Input: Data provided by untrusted users handled by the application
  • Vulnerable Node Module: Use of Node.js module that does not handle data securely
  • XSS: Use of untrusted user input in response potentially leading to XSS vulnerabilities
  • XXE: User-control data is written to application XML without validation/sanitization

JavaScript Rules

Angular:

  • Insecure Direct Object Reference: Insecure Direct Object Reference (IDOR) occurs when an application exposes a reference to an internal implementation object
  • Angular HTTP Interceptor Usage: Angular HTTP interceptors allows intercepting request and response to inspect and transform headers and data
  • Security Misconfiguration: Missing Angular XSRF protection: Angular HttpClient supports a common mechanism used to prevent XSRF attacks. When performing HTTP requests, an interceptor reads a token from a cookie, by default XSRF-TOKEN, and sets it as an HTTP header, X-XSRF-TOKEN

Electron:

  • OSS Electron Security Misconfiguration

Express.js:

  • Exposed private and internal route: The attack surface of a web application constitutes all the methods that handle the incoming web-requests and have a web route associated with them. This allows HTTP queries to be sent over those routes, and request parameters can be sent to the web service
  • XSS: Protection Mechanism Failure
  • OSS Express Body Parser: Uncontrolled Resource Consumption

HTML 5:

  • Security Misconfiguration: Insecure cookie configuration: Cookies are used without the expected secure and samesite parameter
  • Session and authentication information is persisted in insecure storage without expiry: The application is persisting session and authentication information in insecure local storage without any safeguards or expiry
  • Insecure authentication method used in the application: HTTP form-based authentication is quite insecure and could lead to various kinds of attacks such as phishing, replay, password-spraying, and even man-in-the-middle (MITM)
  • Lack of Input Validation during Form submission: User input from input text fields is used to construct the form data without any sanitization or validation

JavaScript:

  • Prototype Pollution
  • Security Misconfiguration: Untrusted content included without safeguards
  • Header Cookie: Insufficiently Protected Credentials
  • RegEx Injection: Improper Neutralization of Regex could lead to ReDoS
  • Sensitive data from an external API response is leaked via log or persistent storage
  • XXE: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
  • XPath Injection: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

JSON Web Tokens (JWT)

  • Insecure JWT Algorithm: Insufficiently Protected Credentials
  • Insecure JWT Algorithm: Use of a Broken or Risky Cryptographic Algorithm
  • Insecure JWT Algorithm: Insufficiently Protected Credentials

Node.js

  • Denial of Service: Uncontrolled Resource Consumption: Layer7 Denial of Service. Looping over user-controlled objects can result in DoS
  • Denial of Service: String comparisons using '===', '!==', '!=' and '==' are vulnerable to timing attacks
  • Deserialization: User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection
  • Deserialization: Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine
  • Template Injection: Improper Control of Generation of Code (Code Injection): Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine
  • Header Injection: Improper Neutralization of HTTP Headers for Scripting Syntax: Untrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks
  • Host Header Poisoning: Improper Neutralization of HTTP Headers for Scripting Syntax
  • Sensitive data in Environment Variables
  • Insecure Puppeteer Settings

React.js

  • XSS: HTTP data used in render function without sanitization
  • XSS: Use of DOM manipulation in strict mode
  • XSS: HTTP data used in render function without sanitization

Secrets

  • Access ID
  • Access Token
  • Amazon
  • API Gateway
  • API Key
  • ARN Token
  • Artifactory
  • CloudFront
  • Credit Card Number
  • Crypto
  • Drive API Key
  • Drive OAuth
  • ECommerce
  • Email Address
  • Finance
  • GitHub
  • Gmail API Key
  • Gmail OAuth
  • Google
  • Google Cloud Platform API Key
  • IaaS
  • Infra
  • JWT
  • Mailgun
  • PaaS
  • Password
  • Picatic
  • PII
  • RDS
  • Restricted API Key
  • RKCS8
  • RSA
  • S3 Bucket
  • S3 Object Bucket
  • Secret
  • Slack
  • Social Media
  • Stripe
  • Telephone
  • URI
  • User
  • Webhook
  • YouTube API Key
  • YouTube OAuth

Common Weakness Enumeration (CWE) Categories

  • 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • 78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • 79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • 90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
  • 91: XML Injection (Blind XPath Injection)
  • 93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • 117: Improper Output Neutralization for Logs
  • 200: Exposure of Sensitive Information to an Unauthorized Actor
  • 250: Execution with Unnecessary Privileges
  • 259: Use of Hard-coded Password
  • 295: Improper Certificate Validation
  • 327: Use of a Broken or Risky Cryptographic Algorithm
  • 328: Reversible One-Way Hash
  • 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • 347: Improper Verification of Cryptographic Signature
  • 384: Session Fixation
  • 400: Uncontrolled Resource Consumption
  • 501: Trust Boundary Violation
  • 502: Deserialization of Untrusted Data
  • 522: Insufficiently Protected Credentials
  • 601: URL Redirection to Untrusted Site ('Open Redirect')
  • 611: Improper Restriction of XML External Entity Reference
  • 614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  • 643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
  • 676: Use of Potentially Dangerous Function
  • 706: Use of Incorrectly-Resolved Name or Reference
  • 784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision
  • 915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
  • 916: Use of Password Hash With Insufficient Computational Effort
  • 917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
  • 918: Server-Side Request Forgery (SSRF)
  • 943: Improper Neutralization of Special Elements in Data Query Logic
  • 1004: Sensitive Cookie Without 'HttpOnly' Flag

OWASP Categories

Terraform

  • AdminPolicyDocument: Ensure IAM policies that allow full administrative privileges are not created.
  • AKSApiServerAuthorizedIpRanges: Ensure AKS has an API Server Authorized IP Ranges enabled.
  • AKSDashboardDisabled: Ensure Kube Dashboard is disabled.
  • AKSLoggingEnabled: Ensure AKS logging to Azure Monitoring is Configured.
  • AKSNetworkPolicy: Ensure AKS cluster has Network Policy configured.
  • AKSRbacEnabled: Ensure AKS cluster has Network Policy configured.
  • ALBListenerHTTPS: Ensure ALB protocol is HTTPS.
  • AllowedCapabilities: CIS Benchmark 5.2.8** Minimize the admission of containers with added capabilities.
  • AllowPrivilegeEscalation: CIS Benchmark 5.2.5** Minimize the admission of containers with allowPrivilegeEscalation.
  • APIGatewayAuthorization: Ensure there is no open access to back-end resources through API.
  • AppServiceAuthentication: Ensure App Service Authentication is set on Azure App Service.
  • AppServiceHttps20Enabled: Ensure that HTTP Version is the latest if used to run the web app.
  • AppServiceHTTPSOnly: Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service.
  • AppServiceMinTLSVersion: Ensure web app is using the latest version of TLS encryption.
  • AppServieClientCertificate: Ensure web app is using the latest version of TLS encryption.
  • AppServieIdentity: Ensure that Register with Azure Active Directory is enabled on App Service.
  • AZU003: Resource azurerm_managed_disk.example defines an unencrypted managed disk.
  • AZU005: Resource azurerm_virtual_machine.podman has password authentication enabled. Use SSH keys instead.
  • AzureInstancePassword: Ensure Azure Instance does not use basic authentication(Use SSH Key Instead).
  • AzureManagedDiscEncryption: Ensure Azure managed disk have encryption enabled.
  • CloudfrontDistributionEncryption: Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS.
  • CloudfrontDistributionLogging: Ensure Cloudfront distribution has Access Logging enabled.
  • CloudtrailEncryption: Ensure CloudTrail logs are encrypted at rest using KMS CMKs.
  • CloudtrailLogValidation: Ensure CloudTrail log file validation is enabled.
  • CloudtrailMultiRegion: Ensure CloudTrail is enabled in all Regions.
  • cloudwatchLogGroupRetention: Ensure CloudTrail is enabled in all Regions.
  • ContainerSecurityContext: CIS Benchmark 5.7.3** Apply Security Context to Your Pods and Containers.
  • CPULimits: CPU limits should be set.
  • CPURequests: CPU requests should be set.
  • credentials: Ensure no hardcoded AWS access key and secret key exists in the provider.
  • CutsomRoleDefinitionSubscriptionOwner: Ensure that no custom subscription owner roles are created.
  • DefaultNamespace: CIS Benchmark 5.7.4** Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them.
  • DefaultServiceAccountBinding: CIS Benchmark 5.1.5** Ensure that default service accounts are not actively used.
  • DockerSocketVolume: Do not expose the Docker daemon socket to containers.
  • DropCapabilities: CIS Benchmark 5.2.7** Do not generally permit containers with the potentially dangerous NET_RAW capability.
  • DynamodbRecovery: Ensure Dynamodb point in time recovery (backup) is enabled.
  • EBSEncryption: Ensure all data stored in the EBS is securely encrypted.
  • EC2Credentials: Ensure no hardcoded AWS access key and secret key exists in EC2 user data.
  • ECRImageScanning: Ensure ECR image scanning on push is enabled.
  • ECRImmutableTags: Ensure ECR Image Tags are immutable.
  • ECSClusterContainerInsights: Ensure ECR Image Tags are immutable.
  • EKSControlPlaneLogging: Ensure Amazon EKS control plane logging enabled for all log types.
  • EKSPublicAccess: Ensure Amazon EKS public endpoint disabled.
  • EKSPublicAccessCIDR: Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0.
  • EKSSecretsEncryption: Ensure EKS Cluster has Secrets Encryption Enabled.
  • ElasticacheReplicationGroupEncryptionAtRest: Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest.
  • ElasticacheReplicationGroupEncryptionAtTransit: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit.
  • ElasticacheReplicationGroupEncryptionAtTransitAuthToken: Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit.
  • ElasticsearchEncryption: Ensure all data stored in the Elasticsearch is securely encrypted at rest.
  • GKEAliasIpEnabled: Ensure Kubernetes Cluster is created with Alias IP ranges enabled.
  • GKEBasicAuth: Ensure Kubernetes Cluster is created with Alias IP ranges enabled.
  • GKEClientCertificateEnabled: Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters.
  • GKEClusterLogging: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.
  • GKEDisableLegacyAuth: Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.
  • GKEHasLabels: Ensure Kubernetes Clusters are configured with Labels.
  • GKEMonitoringEnabled: Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.
  • GKENetworkPolicyEnabled: Ensure Network Policy is enabled on Kubernetes Engine Clusters.
  • GKENodePoolAutoRepairEnabled: Ensure Automatic node repair is enabled for Kubernetes Clusters.
  • GKENodePoolAutoUpgradeEnabled: Ensure Automatic node upgrade is enabled for Kubernetes Clusters.
  • GKEPodSecurityPolicyEnabled: Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters.
  • GKEPrivateClusterConfig: Ensure Kubernetes Cluster is created with Private cluster enabled.
  • GKEPublicControlPlane: Ensure GKE Control Plane is not public.
  • GKEUseCosImage: Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.
  • GoogleBigQueryDatasetPublicACL: Ensure that BigQuery datasets are not anonymously or publicly accessible.
  • GoogleCloudSqlBackupConfiguration: Ensure that BigQuery datasets are not anonymously or publicly accessible.
  • GoogleCloudSqlDatabasePublicallyAccessible: Ensure that BigQuery datasets are not anonymously or publicly accessible.
  • GoogleCloudSqlDatabaseRequireSsl: Ensure all Cloud SQL database instance requires all incoming connections to use SSL.
  • GoogleComputeBootDiskEncryption: Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK).
  • GoogleComputeDefaultServiceAccount: Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK).
  • GoogleComputeDiskEncryption: Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK).
  • GoogleComputeFirewallUnrestrictedIngress22: Ensure Google compute firewall ingress does not allow unrestricted SSH access.
  • GoogleComputeFirewallUnrestrictedIngress3389: Ensure Google compute firewall ingress does not allow unrestricted rdp access.
  • GoogleComputeInstanceOSLogin: Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in prject metadata for all instances).
  • GoogleComputeIPForward: Ensure that IP forwarding is not enabled on Instances.
  • GoogleComputeSerialPorts: Ensure that IP forwarding is not enabled on Instances.
  • GoogleComputeShieldedVM: Ensure Compute instances are launched with Shielded VM enabled.
  • GoogleComupteBlockProjectSSH: Ensure Block Project-wide SSH keys is enabled for VM instances.
  • GoogleStorageBucketEncryption: Ensure Block Project-wide SSH keys is enabled for VM instances.
  • GoogleStorageBucketNotPublic: Ensure Block Project-wide SSH keys is enabled for VM instances.
  • GoogleStorageBucketUniformAccess: Ensure Block Project-wide SSH keys is enabled for VM instances.
  • GoogleSubnetworkLoggingEnabled: Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network.
  • HostPort: Do not specify hostPort unless absolutely necessary.
  • IAMPolicyAttachedToGroupOrRoles: Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges).
  • IAMRoleAllowAssumeFromAccount: Ensure IAM role allows only specific principals in account to assume it.
  • ImageDigest: Image should use digest.
  • ImagePullPolicyAlways: Image Pull Policy should be Always.
  • ImageTagFixed: Image Tag should be fixed - not latest or blank.
  • IMDSv1Disabled: Ensure Instance Metadata Service Version 1 is not enabled.
  • KeyExpirationDate: Ensure that the expiration date is set on all keys.
  • KeyvaultRecoveryEnabled: Ensure the key vault is recoverable.
  • KinesisStreamEncryptionType: Ensure Kinesis Stream is securely encrypted.
  • KMSRotation: Ensure rotation for customer created CMKs is enabled.
  • KubernetesDashboard: Ensure the Kubernetes dashboard is not deployed.
  • LambdaEnvironmentCredentials: Ensure the Kubernetes dashboard is not deployed.
  • LambdaXrayEnabled: X-ray tracing is enabled for Lambda.
  • LaunchConfigurationEBSEncryption: Ensure all data stored in the Launch configuration EBS is securely encrypted.
  • LivenessProbe: Liveness Probe Should be Configured.
  • MemoryLimits: Memory limits should be set.
  • MemoryRequests: Memory limits should be set.
  • MinimizeCapabilities: CIS Benchmark 5.2.9. Minimize the admission of containers with capabilities assigned.
  • MonitorLogProfileCategories: Ensure audit profile captures all the activities.
  • MonitorLogProfileRetentionDays: Ensure that Activity Log Retention is set 365 days or greater.
  • MQBrokerLogging: Ensure MQ Broker logging is enabled.
  • MySQLServerSSLEnforcementEnabled: Ensure Enforce SSL connection is set to ENABLED for MySQL Database Server.
  • NeptuneClusterStorageEncrypted: Ensure Neptune storage is securely encrypted.
  • NetworkWatcherFlowLogPeriod: Ensure that Network Security Group Flow Log retention period is greater than 90 days.
  • NSGRuleRDPAccessRestricted: Ensure that RDP access is restricted from the internet.
  • NSGRuleSSHAccessRestricted: Ensure that SSH access is restricted from the internet.
  • PodSecurityContext: CIS Benchmark 5.7.3. Apply Security Context to Your Pods and Containers.
  • PostgreSQLServerConnectionThrottlingEnabled: Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server.
  • PostgreSQLServerLogCheckpointsEnabled: Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server.
  • PostgreSQLServerSSLEnforcementEnabled: Ensure Enforce SSL connection is set to ENABLED for PostgreSQL Database Server.
  • PrivateRepo: Ensure Repository is Private.
  • PrivilegedContainers: CIS Benchmark 5.2.1. Minimize the admission of privileged containers.
  • RDSEncryption: Ensure all data stored in the RDS is securely encrypted at rest.
  • RDSPubliclyAccessible: Ensure all data stored in the RDS bucket is not public accessible.
  • ReadinessProbe: Readiness Probe Should be Configured.
  • ReadOnlyFilesystem: Use read-only filesystem for containers where possible.
  • RedshiftClusterEncryption: Ensure all data stored in the Redshift cluster is securely encrypted at rest.
  • RootContainers: CIS Benchmark 5.2.6. Minimize the admission of root containers.
  • RootContainersHighUID: Containers should run as a high UID to avoid host conflict.
  • S3AccessLogs: Ensure the S3 bucket has access logging enabled.
  • S3AllowsAnyPrincipal: Ensure S3 bucket does not allow an action with any Principal.
  • S3BlockPublicACLs: Ensure S3 bucket has block public ACLS enabled.
  • S3BlockPublicPolicy: Ensure S3 bucket has block public policy enabled.
  • S3Encryption: Ensure all data stored in the S3 bucket is securely encrypted at rest.
  • S3IgnorePublicACLs: Ensure S3 bucket has ignore public ACLs enabled.
  • S3MFADelete: Ensure S3 bucket has MFA delete enabled.
  • S3PublicACLRead: S3 bucket has an ACL defined which allows public READ access.
  • S3RestrictPublicBuckets: Ensure S3 bucket has restrict_public_bucket enabled.
  • S3Versioning: Ensure S3 bucket has restrict_public_bucket enabled.
  • Seccomp: CIS Benchmark 5.7.2. Ensure that the seccomp profile is set to docker/default in your pod definitions.
  • SecretExpirationDate: Ensure that the expiration date is set on all secrets.
  • Secrets: CIS Benchmark 5.4.1. Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets.
  • SecurityCenterContactEmailAlert: Ensure that Send email notification for high severity alerts is set to On.
  • SecurityCenterContactEmailAlertAdmins: Ensure that Send email notification for high severity alerts is set to On.
  • SecurityCenterContactPhone: Ensure that security contact Phone number is set.
  • SecurityCenterStandardPricing: Ensure that standard pricing tier is selected.
  • SecurityGroupRuleDescription: Ensure every security groups rule has a description.
  • SecurityGroupUnrestrictedIngress22: Ensure no security groups allow ingress from 0.0.0.0:0 to port 22.
  • SecurityGroupUnrestrictedIngress3389: Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389.
  • ServiceAccountTokens: CIS Benchmark 5.1.6. Ensure that Service Account Tokens are only mounted where necessary.
  • SharedHostNetworkNamespace: CIS Benchmark 5.2.4. Minimize the admission of containers wishing to share the host network namespace.
  • ShareHostIPC: CIS Benchmark 5.2.3. Minimize the admission of containers wishing to share the host IPC namespace.
  • ShareHostPID: CIS Benchmark 5.2.2. Minimize the admission of containers wishing to share the host process ID namespace.
  • SNSTopicEncryption: Ensure all data stored in the SNS topic is encrypted.
  • SQLServerAuditingEnabled: Ensure that Auditing is set to On for SQL servers.
  • SQLServerAuditingRetention90Days: Ensure that Auditing Retention is greater than 90 days for SQL servers.
  • SQLServerEmailAlertsEnabled: Ensure that Send Alerts To is enabled for MSSQL servers.
  • SQLServerEmailAlertsToAdminsEnabled: Ensure that Email service and co-administrators is Enabled for MSSQL servers.
  • SQLServerThreatDetectionTypes: Ensure that Threat Detection types is set to All.
  • SQSQueueEncryption: Ensure that Threat Detection types is set to All.
  • StarActionPolicyDocument: Ensure that Threat Detection types is set to All.
  • StorageAccountAzureServicesAccessEnabled: Ensure Trusted Microsoft Services is enabled for Storage Account access.
  • StorageAccountDefaultNetworkAccessDeny: Ensure default network access rule for Storage Accounts is set to deny.
  • StorageAccountLoggingQueueServiceEnabled: Ensure Storage logging is enabled for Queue service for read, write and delete requests.
  • StorageAccountMinimumTlsVersion: Ensure Storage Account is using the latest version of TLS encryption.
  • StorageAccountsTransportEncryption: Ensure that Secure transfer required is set to Enabled.
  • WAFEnabled: CloudFront Distribution should have WAF enabled.
  • XSS: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.