Split CIS GCP 4.0 into individual rules (3.1, 3.6, 3.7, 4.9, 5.2)

[kunaals]

Motivation

• Make CIS GCP checks discoverable and individually runnable by splitting the previous monolithic ruleset into per-control rules following the established AWS split-by-control pattern.
• Surface high-value compliance findings that map directly to Cartography's existing GCP data model (networks/firewalls, VM public IPs, and GCS bucket settings).
• Keep each rule focused on a single security concept so facts and outputs are consistent and easier to test and maintain.

Description

• Add a new rules module cartography/rules/data/rules/cis_4_0_gcp.py defining GCPCISFinding and five rules with one Fact each: cis_gcp_3_1_default_network, cis_gcp_3_6_unrestricted_ssh, cis_gcp_3_7_unrestricted_rdp, cis_gcp_4_9_public_ip, and cis_gcp_5_2_bucket_uniform_access.
• Register the new rules in the rules registry by importing them and adding their id entries to the RULES dictionary in cartography/rules/data/rules/__init__.py.
• Update documentation in docs/root/usage/rules.md to list the new rule identifiers and show example usage (e.g., cartography-rules run cis_gcp_3_1_default_network).
• Replace the old combined tests with tests/unit/rules/test_cis_4_0_gcp.py, updating assertions to validate registration, Module/Maturity, fact IDs, and that parse_results preserves extra fields.

Testing

• Ran the rules unit test suite with python -m pytest tests/unit/rules.
• Tests passed: 13 passed with warnings only.
• Unit tests validate rule registration in RULES, fact metadata (Module.GCP, Maturity.EXPERIMENTAL), fact ID naming, and parse_results behavior preserving extra fields.

---

Codex Task

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="cartography/rules/data/rules/cis_4_0_gcp.py">

<violation number="1" location="cartography/rules/data/rules/cis_4_0_gcp.py:87">
P2: This rule only checks for IPv4 unrestricted access (`0.0.0.0/0`) but misses IPv6 unrestricted access (`::/0`). Firewall rules allowing SSH from all IPv6 addresses should also be flagged.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: This rule only checks for IPv4 unrestricted access (0.0.0.0/0) but misses IPv6 unrestricted access (::/0). Firewall rules allowing SSH from all IPv6 addresses should also be flagged.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At cartography/rules/data/rules/cis_4_0_gcp.py, line 87:

<comment>This rule only checks for IPv4 unrestricted access (`0.0.0.0/0`) but misses IPv6 unrestricted access (`::/0`). Firewall rules allowing SSH from all IPv6 addresses should also be flagged.</comment>

<file context>
@@ -0,0 +1,277 @@
+    description=&quot;Flags ingress firewall rules that allow SSH (port 22) from 0.0.0.0/0.&quot;,
+    cypher_query=&quot;&quot;&quot;
+    MATCH (project:GCPProject)-[:RESOURCE]-&gt;(vpc:GCPVpc)-[:RESOURCE]-&gt;(fw:GCPFirewall {direction: &#39;INGRESS&#39;})
+    MATCH (fw)&lt;-[:ALLOWED_BY]-(rule:GCPIpRule)&lt;-[:MEMBER_OF_IP_RULE]-(range:IpRange {range: &#39;0.0.0.0/0&#39;})
+    WHERE coalesce(fw.disabled, false) = false
+      AND rule.protocol = &#39;tcp&#39;
</file context>