-
Notifications
You must be signed in to change notification settings - Fork 45
/
Copy pathtfsec.yml
251 lines (251 loc) · 9.71 KB
/
tfsec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
---
exclude:
- aws-api-gateway-enable-access-logging
- aws-api-gateway-enable-cache-encryption
- aws-api-gateway-enable-tracing
- aws-api-gateway-no-public-access
- aws-athena-enable-at-rest-encryption
- aws-athena-no-encryption-override
- aws-autoscaling-enable-at-rest-encryption
- aws-autoscaling-enforce-http-token-imds
- aws-autoscaling-no-public-ip
- aws-autoscaling-no-secrets-in-user-data
- aws-autoscaling-no-sensitive-info
- aws-cloudfront-enable-logging
- aws-cloudfront-enable-waf
- aws-cloudtrail-enable-all-regions
- aws-cloudtrail-enable-at-rest-encryption
- aws-cloudtrail-enable-log-validation
- aws-cloudwatch-log-group-customer-key
- aws-codebuild-enable-encryption
- aws-config-aggregate-all-regions
- aws-documentdb-enable-log-export
- aws-documentdb-enable-storage-encryption
- aws-documentdb-encryption-customer-key
- aws-dynamodb-enable-at-rest-encryption
- aws-dynamodb-enable-recovery
- aws-dynamodb-table-customer-key
- aws-ebs-enable-volume-encryption
- aws-ebs-encryption-customer-key
- aws-ec2-enable-at-rest-encryption
- aws-ec2-enforce-http-token-imds
- aws-ec2-no-secrets-in-user-data
- aws-ecr-enable-image-scans
- aws-ecr-enforce-immutable-repository
- aws-ecr-no-public-access
- aws-ecr-repository-customer-key
- aws-ecs-enable-container-insight
- aws-ecs-enable-in-transit-encryption
- aws-efs-enable-at-rest-encryption
- aws-eks-enable-control-plane-logging
- aws-eks-encrypt-secrets
- aws-eks-no-public-cluster-access
- aws-eks-no-public-cluster-access-to-cidr
- aws-elastic-search-enable-domain-encryption
- aws-elastic-search-enable-domain-logging
- aws-elastic-search-enable-in-transit-encryption
- aws-elasticache-add-description-for-security-group
- aws-elasticache-enable-at-rest-encryption
- aws-elasticache-enable-backup-retention
- aws-elasticache-enable-in-transit-encryption
- aws-elb-alb-not-public
- aws-elb-drop-invalid-headers
- aws-iam-enforce-mfa
- aws-iam-no-password-reuse
- aws-iam-no-policy-wildcards
- aws-iam-require-lowercase-in-passwords
- aws-iam-require-numbers-in-passwords
- aws-iam-require-symbols-in-passwords
- aws-iam-require-uppercase-in-passwords
- aws-iam-set-max-password-age
- aws-iam-set-minimum-password-length
- aws-kinesis-enable-in-transit-encryption
- aws-kms-auto-rotate-keys
- aws-lambda-enable-tracing
- aws-lambda-restrict-source-arn
- aws-mq-enable-audit-logging
- aws-mq-enable-general-logging
- aws-mq-no-public-access
- aws-msk-enable-in-transit-encryption
- aws-msk-enable-logging
- aws-neptune-enable-log-export
- aws-neptune-enable-storage-encryption
- aws-neptune-encryption-customer-key
- aws-rds-enable-performance-insights
- aws-rds-enable-performance-insights-encryption
- aws-rds-encrypt-cluster-storage-data
- aws-rds-encrypt-instance-storage-data
- aws-rds-specify-backup-retention
- aws-redshift-encryption-customer-key
- aws-redshift-use-vpc
- aws-s3-block-public-acls
- aws-s3-block-public-policy
- aws-s3-enable-bucket-encryption
- aws-s3-enable-bucket-logging
- aws-s3-enable-versioning
- aws-s3-encryption-customer-key
- aws-s3-ignore-public-acls
- aws-s3-no-public-access-with-acl
- aws-s3-no-public-buckets
- aws-s3-specify-public-access-block
- aws-sns-enable-topic-encryption
- aws-sqs-enable-queue-encryption
- aws-sqs-no-wildcards-in-policy-documents
- aws-ssm-secret-use-customer-key
- aws-ssm-avoid-leaks-via-http
- aws-vpc-add-description-to-security-group
- aws-vpc-add-description-to-security-group-rule
- aws-vpc-no-default-vpc
- aws-vpc-no-excessive-port-access
- aws-vpc-no-public-egress-sgr
- aws-vpc-no-public-ingress-acl
- aws-vpc-no-public-ingress-sgr
- aws-workspaces-enable-disk-encryption
- aws-ec2-no-secrets-in-user-data
- aws-cloudtrail-ensure-cloudwatch-integration
- aws-cloudtrail-no-public-log-access
- aws-cloudtrail-require-bucket-access-logging
- aws-ec2-add-description-to-security-group-rule
- aws-ec2-add-description-to-security-group
- aws-ec2-enable-launch-config-at-rest-encryption
- aws-ec2-enable-volume-encryption
- aws-ec2-enforce-launch-config-http-token-imds
- aws-ec2-no-default-vpc
- aws-ec2-no-excessive-port-access
- aws-ec2-no-public-egress-sgr
- aws-ec2-no-public-ingress-acl
- aws-ec2-no-public-ingress-sgr
- aws-ec2-no-public-ip-subnet
- aws-ec2-no-public-ip
- aws-ec2-no-secrets-in-launch-template-user-data
- aws-ec2-no-sensitive-info
- aws-ec2-volume-encryption-customer-key
- aws-emr-enable-at-rest-encryption
- aws-emr-enable-in-transit-encryption
- aws-emr-enable-local-disk-encryption
- aws-iam-enforce-group-mfa
- aws-iam-no-root-access-keys
- aws-iam-no-user-attached-policies
- aws-sns-topic-encryption-use-cmk
- aws-sqs-queue-encryption-use-cmk
- azure-appservice-account-identity-registered
- azure-appservice-authentication-enabled
- azure-appservice-enable-http2
- azure-appservice-require-client-cert
- azure-authorization-limit-role-actions
- azure-compute-disable-password-authentication
- azure-compute-enable-disk-encryption
- azure-compute-no-secrets-in-custom-data
- azure-container-configured-network-policy
- azure-container-limit-authorized-ips
- azure-container-logging
- azure-container-use-rbac-permissions
- azure-database-all-threat-alerts-enabled
- azure-database-enable-audit
- azure-database-no-public-access
- azure-database-no-public-firewall-access
- azure-database-postgres-configuration-connection-throttling
- azure-database-postgres-configuration-log-checkpoints
- azure-database-postgres-configuration-log-connections
- azure-database-retention-period-set
- azure-database-threat-alert-email-set
- azure-database-threat-alert-email-to-owner
- azure-datafactory-no-public-access
- azure-datalake-enable-at-rest-encryption
- azure-keyvault-content-type-for-secret
- azure-keyvault-ensure-key-expiry
- azure-keyvault-ensure-secret-expiry
- azure-keyvault-no-purge
- azure-keyvault-specify-network-acl
- azure-monitor-activity-log-retention-set
- azure-monitor-capture-all-activities
- azure-monitor-capture-all-regions
- azure-network-no-public-egress
- azure-network-no-public-ingress
- azure-network-retention-policy-set
- azure-security-center-alert-on-severe-notifications
- azure-security-center-enable-standard-subscription
- azure-security-center-set-required-contact-details
- azure-storage-allow-microsoft-service-bypass
- azure-storage-no-public-access
- azure-storage-queue-services-logging-enabled
- azure-synapse-virtual-network-enabled
- cloudstack-compute-no-sensitive-info
- digitalocean-compute-kubernetes-auto-upgrades-not-enabled
- digitalocean-compute-no-public-egress
- digitalocean-compute-no-public-ingress
- digitalocean-compute-surge-upgrades-not-enabled
- digitalocean-compute-use-ssh-keys
- digitalocean-spaces-acl-no-public-read
- digitalocean-spaces-disable-force-destroy
- digitalocean-spaces-versioning-enabled
- github-actions-no-plain-text-action-secrets
- github-repositories-private
- github-repositories-enable_vulnerability_alerts
- github-branch_protections-require_signed_commits
- general-secrets-no-plaintext-exposure
- google-bigquery-no-public-access
- google-compute-disk-encryption-customer-key
- google-compute-enable-shielded-vm-im
- google-compute-enable-shielded-vm-vtpm
- google-compute-enable-vpc-flow-logs
- google-compute-no-default-service-account
- google-compute-no-ip-forwarding
- google-compute-no-oslogin-override
- google-compute-no-project-wide-ssh-keys
- google-compute-no-public-egress
- google-compute-no-public-ingress
- google-compute-no-public-ip
- google-compute-no-serial-port
- google-compute-project-level-oslogin
- google-compute-vm-disk-encryption-customer-key
- google-dns-enable-dnssec
- google-dns-no-rsa-sha1
- google-gke-enable-auto-repair
- google-gke-enable-auto-upgrade
- google-gke-enable-ip-aliasing
- google-gke-enable-master-networks
- google-gke-enable-network-policy
- google-gke-enable-private-cluster
- google-gke-enable-stackdriver-logging
- google-gke-enable-stackdriver-monitoring
- google-gke-enforce-pod-security-policy
- google-gke-metadata-endpoints-disabled
- google-gke-no-legacy-authentication
- google-gke-no-public-control-plane
- google-gke-node-metadata-security
- google-gke-node-pool-uses-cos
- google-gke-node-shielding-enabled
- google-gke-use-cluster-labels
- google-gke-use-rbac-permissions
- google-gke-use-service-account
- google-iam-no-default-network
- google-iam-no-folder-level-default-service-account-assignment
- google-iam-no-folder-level-service-account-impersonation
- google-iam-no-org-level-default-service-account-assignment
- google-iam-no-org-level-service-account-impersonation
- google-iam-no-privileged-service-accounts
- google-iam-no-project-level-default-service-account-assignment
- google-iam-no-project-level-service-account-impersonation
- google-iam-no-user-granted-permissions
- google-kms-rotate-kms-keys
- google-sql-enable-backup
- google-sql-enable-pg-temp-file-logging
- google-sql-encrypt-in-transit-data
- google-sql-mysql-no-local-infile
- google-sql-no-contained-db-auth
- google-sql-no-cross-db-ownership-chaining
- google-sql-no-public-access
- google-sql-pg-log-checkpoints
- google-sql-pg-log-connections
- google-sql-pg-log-disconnections
- google-sql-pg-log-errors
- google-sql-pg-log-lock-waits
- google-sql-pg-no-min-statement-logging
- google-storage-enable-ubla
- google-storage-no-public-access
- kubernetes-network-no-public-egress
- kubernetes-network-no-public-ingress
- openstack-compute-no-public-access
- openstack-networking-describe-security-group
- oracle-compute-no-public-ip