Checkmarx · arpitjain099 · Jun 3, 2026
diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/query.rego b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/query.rego
@@ -120,11 +120,17 @@ small_network_affix := ["/25","/26","/27","/28","/29"]
 ipv6_small_network_affix := ["/121","/122","/123","/124","/125"]
 
 isSmallPublicNetwork(resource) {
-	endswith(resource.cidr_blocks[_], small_network_affix[_])
+	cidr := resource.cidr_blocks[_]
+	endswith(cidr, small_network_affix[_])
+	not common_lib.isPrivateIP(cidr)
 } else {
-	endswith(resource.ipv6_cidr_blocks[_], ipv6_small_network_affix[_])
+	cidr := resource.ipv6_cidr_blocks[_]
+	endswith(cidr, ipv6_small_network_affix[_])
+	not common_lib.isPrivateIP(cidr)
 } else {
 	endswith(resource.cidr_ipv4, small_network_affix[_])
+	not common_lib.isPrivateIP(resource.cidr_ipv4)
 } else {
 	endswith(resource.cidr_ipv6, ipv6_small_network_affix[_])
+	not common_lib.isPrivateIP(resource.cidr_ipv6)
 }
diff --git a/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/negative1.tf b/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/negative1.tf
@@ -71,6 +71,37 @@ resource "aws_security_group" "negative1_array_test_ipv6" {
     from_port         = 5000
     to_port           = 5000
     protocol          = "icmpv6"
-    ipv6_cidr_blocks  = ["fd03:5678::/64", "2400:cb00::/32"] 
+    ipv6_cidr_blocks  = ["fd03:5678::/64", "2400:cb00::/32"]
+  }
+}
+
+# correct port and protocol, but the cidr is a small PRIVATE network (RFC1918 / ULA), so it must not be flagged
+resource "aws_security_group" "negative1_private_ipv4_1" {
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/25"]
+  }
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["192.168.0.0/26"]
+  }
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["172.16.0.0/27"]
+  }
+}
+
+resource "aws_security_group" "negative1_private_ipv6_1" {
+  ingress {
+    from_port         = 22
+    to_port           = 22
+    protocol          = "tcp"
+    ipv6_cidr_blocks  = ["fd00::/121"]
   }
 }
diff --git a/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/negative2.tf b/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/negative2.tf
@@ -64,3 +64,25 @@ resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_4" {
   ip_protocol       = "icmpv6"
   cidr_ipv6         = "2400:cb00::/32"
 }
+
+# correct port and protocol, but the cidr is a small PRIVATE network (RFC1918 / ULA), so it must not be flagged
+resource "aws_vpc_security_group_ingress_rule" "negative2_private_ipv4_1" {
+  from_port    = 22
+  to_port      = 22
+  ip_protocol  = "tcp"
+  cidr_ipv4    = "10.0.0.0/25"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "negative2_private_ipv4_2" {
+  from_port    = 22
+  to_port      = 22
+  ip_protocol  = "tcp"
+  cidr_ipv4    = "172.16.0.0/27"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "negative2_private_ipv6_1" {
+  from_port    = 22
+  to_port      = 22
+  ip_protocol  = "tcp"
+  cidr_ipv6    = "fd00::/121"
+}
diff --git a/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/negative3.tf b/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/negative3.tf
@@ -72,3 +72,28 @@ resource "aws_security_group_rule" "negative3_ipv6_4" {
   ipv6_cidr_blocks  = ["fd03:5678::/64", "2400:cb00::/32"]
   type              = "ingress"
 }
+
+# correct port and protocol, but the cidr is a small PRIVATE network (RFC1918 / ULA), so it must not be flagged
+resource "aws_security_group_rule" "negative3_private_ipv4_1" {
+  from_port    = 22
+  to_port      = 22
+  protocol     = "tcp"
+  cidr_blocks  = ["10.0.0.0/25"]
+  type         = "ingress"
+}
+
+resource "aws_security_group_rule" "negative3_private_ipv4_2" {
+  from_port    = 22
+  to_port      = 22
+  protocol     = "tcp"
+  cidr_blocks  = ["192.168.0.0/26"]
+  type         = "ingress"
+}
+
+resource "aws_security_group_rule" "negative3_private_ipv6_1" {
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  ipv6_cidr_blocks  = ["fd00::/121"]
+  type              = "ingress"
+}
diff --git a/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/negative4.tf b/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/negative4.tf
@@ -61,7 +61,38 @@ module "negative4_ipv6_1" {
       from_port         = 5000
       to_port           = 5000
       protocol          = "icmpv6"
-      ipv6_cidr_blocks  = ["fd03:5678::/64", "2400:cb00::/32"] 
+      ipv6_cidr_blocks  = ["fd03:5678::/64", "2400:cb00::/32"]
+    }
+  ]
+}
+
+# correct port and protocol, but the cidr is a small PRIVATE network (RFC1918 / ULA), so it must not be flagged
+module "negative4_private_ipv4_1" {
+  source  = "terraform-aws-modules/security-group/aws"
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = 22
+      to_port     = 22
+      protocol    = "tcp"
+      cidr_blocks = ["10.0.0.0/25"]
+    },
+    {
+      from_port   = 22
+      to_port     = 22
+      protocol    = "tcp"
+      cidr_blocks = ["172.16.0.0/27"]
+    }
+  ]
+}
+
+module "negative4_private_ipv6_1" {
+  source  = "terraform-aws-modules/security-group/aws"
+  ingress_with_ipv6_cidr_blocks = [
+    {
+      from_port         = 22
+      to_port           = 22
+      protocol          = "tcp"
+      ipv6_cidr_blocks  = ["fd00::/121"]
     }
   ]
 }
diff --git a/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive1.tf b/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive1.tf
@@ -4,7 +4,7 @@ resource "aws_security_group" "positive1_ipv4_1" {
     from_port   = 22
     to_port     = 22
     protocol    = "-1"
-    cidr_blocks = ["10.0.0.0/25"]
+    cidr_blocks = ["203.0.113.0/25"]
   }
 }
 
@@ -13,7 +13,7 @@ resource "aws_security_group" "positive1_ipv4_2" {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["192.168.0.0/26"]
+    cidr_blocks = ["198.51.100.0/26"]
   }
 }
 
@@ -22,13 +22,13 @@ resource "aws_security_group" "positive1_array_test_ipv4" {
     from_port   = 22
     to_port     = 22
     protocol    = "udp"
-    cidr_blocks = ["172.16.0.0/27"]
+    cidr_blocks = ["8.8.8.0/27"]
   }
   ingress {
     from_port   = 110
     to_port     = 110
     protocol    = "udp"
-    cidr_blocks = ["10.68.0.0", "172.16.0.0/27"]
+    cidr_blocks = ["10.68.0.0", "1.1.1.0/27"]
   }
 }
 
@@ -39,7 +39,7 @@ resource "aws_security_group" "positive1_ipv6_1" {
     from_port         = 22
     to_port           = 22
     protocol          = "-1"
-    ipv6_cidr_blocks  = ["fd00::/121"]
+    ipv6_cidr_blocks  = ["2400:cb00::/121"]
   }
 }
 
@@ -48,7 +48,7 @@ resource "aws_security_group" "positive1_ipv6_2" {
     from_port         = 22
     to_port           = 22
     protocol          = "tcp"
-    ipv6_cidr_blocks  = ["fd12:3456:789a::1/122"]
+    ipv6_cidr_blocks  = ["2606:4700:4700::1/122"]
   }
 }
 
@@ -57,13 +57,13 @@ resource "aws_security_group" "positive1_array_test_ipv6" {
     from_port         = 22
     to_port           = 22
     protocol          = "udp"
-    ipv6_cidr_blocks  = ["fd00:abcd:1234::42/123"] 
+    ipv6_cidr_blocks  = ["2001:4860:4860::42/123"]
   }
 
   ingress {
     from_port         = 110
     to_port           = 110
     protocol          = "udp"
-    ipv6_cidr_blocks  = ["fd03:5678::/64", "fd00:abcd:1234::42/123"] 
+    ipv6_cidr_blocks  = ["fd03:5678::/64", "2001:4860:4860::42/123"]
   }
 }
diff --git a/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive2.tf b/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive2.tf
@@ -3,28 +3,28 @@ resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_1" {
   from_port         = 22
   to_port           = 22
   ip_protocol       = "-1"
-  cidr_ipv4         = "10.0.0.0/25"
+  cidr_ipv4         = "203.0.113.0/25"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_2" {
   from_port         = 22
   to_port           = 22
   ip_protocol       = "tcp"
-  cidr_ipv4         = "192.168.0.0/26"
+  cidr_ipv4         = "198.51.100.0/26"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_3" {
   from_port         = 22
   to_port           = 22
   ip_protocol       = "udp"
-  cidr_ipv4         = "172.16.0.0/27"
+  cidr_ipv4         = "8.8.8.0/27"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_4" {
   from_port         = 110
   to_port           = 110
   ip_protocol       = "udp"
-  cidr_ipv4         = "172.16.0.0/27"
+  cidr_ipv4         = "1.1.1.0/27"
 }
 
 # ipv6
@@ -33,26 +33,26 @@ resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_1" {
   from_port         = 22
   to_port           = 22
   ip_protocol       = "-1"
-  cidr_ipv6         = "fd00::/121" 
+  cidr_ipv6         = "2400:cb00::/121"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_2" {
   from_port         = 22
   to_port           = 22
   ip_protocol       = "tcp"
-  cidr_ipv6         = "fd12:3456:789a::1/122"
+  cidr_ipv6         = "2606:4700:4700::1/122"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_3" {
   from_port         = 22
   to_port           = 22
   ip_protocol       = "udp"
-  cidr_ipv6         = "fd00:abcd:1234::42/123"
+  cidr_ipv6         = "2001:4860:4860::42/123"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_4" {
   from_port         = 110
   to_port           = 110
   ip_protocol       = "udp"
-  cidr_ipv6         = "fd00:abcd:1234::42/123"
+  cidr_ipv6         = "2001:4860:4860::42/123"
 }
diff --git a/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive3.tf b/...queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive3.tf
@@ -3,31 +3,31 @@ resource "aws_security_group_rule" "positive3_ipv4_1" {
   from_port    = 22
   to_port      = 22
   protocol     = "-1"
-  cidr_blocks  = ["10.0.0.0/25"]
+  cidr_blocks  = ["203.0.113.0/25"]
   type         = "ingress"
 }
 
 resource "aws_security_group_rule" "positive3_ipv4_2" {
   from_port    = 22
   to_port      = 22
   protocol     = "tcp"
-  cidr_blocks  = ["192.168.0.0/26"]
+  cidr_blocks  = ["198.51.100.0/26"]
   type         = "ingress"
 }
 
 resource "aws_security_group_rule" "positive3_ipv4_3" {
   from_port    = 22
   to_port      = 22
   protocol     = "udp"
-  cidr_blocks  = ["172.16.0.0/27"]
+  cidr_blocks  = ["8.8.8.0/27"]
   type         = "ingress"
 }
 
 resource "aws_security_group_rule" "positive3_ipv4_4" {
   from_port    = 110
   to_port      = 110
   protocol     = "udp"
-  cidr_blocks  = ["10.68.0.0", "172.16.0.0/27"]
+  cidr_blocks  = ["10.68.0.0", "1.1.1.0/27"]
   type         = "ingress"
 }
 
@@ -37,30 +37,30 @@ resource "aws_security_group_rule" "positive3_ipv6_1" {
   from_port         = 22
   to_port           = 22
   protocol          = "-1"
-  ipv6_cidr_blocks  = ["fd00::/121"]
+  ipv6_cidr_blocks  = ["2400:cb00::/121"]
   type              = "ingress"
 }
 
 resource "aws_security_group_rule" "positive3_ipv6_2" {
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
-  ipv6_cidr_blocks  = ["fd12:3456:789a::1/122"]
+  ipv6_cidr_blocks  = ["2606:4700:4700::1/122"]
   type              = "ingress"
 }
 
 resource "aws_security_group_rule" "positive3_ipv6_3" {
   from_port         = 22
   to_port           = 22
   protocol          = "udp"
-  ipv6_cidr_blocks  = ["fd00:abcd:1234::42/123"]
+  ipv6_cidr_blocks  = ["2001:4860:4860::42/123"]
   type              = "ingress"
 }
 
 resource "aws_security_group_rule" "positive3_ipv6_4" {
   from_port         = 110
   to_port           = 110
   protocol          = "udp"
-  ipv6_cidr_blocks  = ["fd03:5678::/64", "fd00:abcd:1234::42/123"] 
+  ipv6_cidr_blocks  = ["fd03:5678::/64", "2001:4860:4860::42/123"]
   type              = "ingress"
 }